Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access

Staff Editor 2026-05-14
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access

Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access

https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

Publish Date: 2026-05-14 13:45:00

Source Domain: thehackernews.com

Ravie LakshmananMay 14, 2026Vulnerability / Network Security

Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks.

The vulnerability, tracked as CVE-2026-20182, carries a CVSS score of 10.0.

“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” Cisco said.

The networking equipment major said the flaw stems from a malfunction of the peering authentication mechanism, which an attacker could exploit by sending crafted requests to the affected system.

A successful exploit could permit the attacker to log in to the Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, and then weaponize it to access NETCONF and manipulate network configuration for the SD-WAN fabric..

The vulnerability impacts the following deployments –

  • On-Prem Deployment
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

According to Rapid7, which discovered CVE-2026-20182, the shortcoming has its echoes in CVE-2026-20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023.

“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said. “The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.”

That said, the end result is the same: a remote unauthenticated attacker can abuse…

Source

More Stories

Army holds first Cybersecurity Summit at Fort Bragg with local partners

Army holds first Cybersecurity Summit at Fort Bragg with local partners

Staff Editor 2026-05-14
AI drives new debate around CISA software patching deadlines

AI drives new debate around CISA software patching deadlines

Staff Editor 2026-05-14
How a marketing professional changed course for cybersecurity

How a marketing professional changed course for cybersecurity

Staff Editor 2026-05-14

Terms and Conditions - Privacy Policy