VULNERABILITY OVERVIEW
A vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges by sending crafted requests to the 'vdaemon' service over DTLS (UDP port 12346). Successful exploitation allows the attacker to inject an SSH public key into the vmanage-admin account, access NETCONF (TCP/830), and arbitrarily manipulate SD-WAN fabric network configurations. Cisco Talos attributes active exploitation to nation-state-linked threat actor UAT-8616; Rapid7 discovered the flaw and published a working Metasploit module. CISA issued Emergency Directive 26-03 mandating federal remediation by May 17, 2026.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Catalyst SD-WAN Controller and Manager all versions prior to fixed releases (20.9.x, 20.12.x, 20.15.x, 20.16.x)CITATIONS
- → Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- → Rapid7 Blog: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/
- → Cisco Talos: https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
- → CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → The Hacker News: https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html