Cisco patches actively exploited Catalyst SD-WAN zero-day that can give attackers admin access

Cisco has released fixes for a maximum-severity vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that attackers have already exploited in limited real-world attacks.

The flaw is tracked as CVE-2026-20182 and carries a CVSS 3.1 score of 10.0. Cisco says an unauthenticated remote attacker can exploit it to bypass authentication and gain administrative privileges on an affected system.

Successful exploitation can allow the attacker to access NETCONF and manipulate network configuration across the SD-WAN fabric. That makes the bug especially dangerous for organizations that use Cisco SD-WAN to control branch, cloud, and enterprise connectivity.

What CVE-2026-20182 affects

CVE-2026-20182 affects Cisco Catalyst SD-WAN Controller, formerly vSmart, and Cisco Catalyst SD-WAN Manager, formerly vManage. Cisco says the vulnerability affects these products regardless of device configuration.

The advisory covers all deployment types, including on-premises deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud, and Cisco SD-WAN for Government. Cisco has also addressed the issue in its managed cloud release.

The vulnerability sits in the peering authentication process used by Cisco’s SD-WAN control plane. Attackers who can reach the affected service may be able to appear as a trusted peer without proper authentication.

Item	Details
CVE	CVE-2026-20182
Severity	Critical, CVSS 3.1 score of 10.0
Weakness type	CWE-287, improper authentication
Affected products	Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager
Main risk	Authentication bypass and administrative access
Exploitation status	Limited exploitation confirmed by Cisco PSIRT
Workaround	No workaround available

How the attack path works

Rapid7 researchers found the flaw while researching a separate Cisco SD-WAN authentication bypass issue disclosed earlier in 2026. The new bug affects the vdaemon service over DTLS on UDP port 12346.

According to Rapid7, the issue is not a patch bypass for the earlier vulnerability. It affects a similar part of the same networking stack and leads to a similar outcome.

The flaw involves device-type-specific verification during the control-plane handshake. Rapid7 found that peers claiming to be a vHub device could move through the authentication flow without the expected certificate verification.

Attackers can turn peering access into persistent NETCONF access

Once an attacker becomes an authenticated peer, the risk does not stop at a temporary connection. Rapid7 says an authenticated peer can inject an attacker-controlled SSH public key into the vmanage-admin account’s authorized keys file.

That account is an internal high-privileged service account used for communication between SD-WAN management and control-plane components. If attackers add their own key, they can connect to NETCONF over TCP port 830 as vmanage-admin.

From there, an attacker can issue NETCONF commands and interact with the running SD-WAN configuration. In an enterprise environment, this could affect routing, policy, segmentation, and control-plane trust.

• UDP port 12346 is tied to the DTLS control-plane peering service.
• TCP port 830 exposes NETCONF over SSH.
• The vmanage-admin account has high privileges inside the SD-WAN environment.
• Unauthorized public keys in authorized_keys can indicate compromise.
• Unexpected control-plane peers need manual validation.

Cisco confirms limited active exploitation

Cisco says its Product Security Incident Response Team became aware of limited exploitation of CVE-2026-20182 in May 2026. The company strongly recommends that customers upgrade to a fixed software release.

CISA also added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog on May 14, 2026. Federal civilian agencies had a May 17, 2026 deadline to follow CISA’s Cisco SD-WAN exposure and mitigation guidance.

Private organizations do not fall under the same federal deadline, but the KEV listing is a serious warning. CISA adds vulnerabilities to the catalog when there is evidence of active exploitation.

Indicators admins should check

Cisco advises customers to collect admin-tech files before upgrading. This step helps preserve possible indicators of compromise before logs or diagnostic data change during remediation.

Administrators should review auth.log for accepted public key logins involving vmanage-admin from unknown or unauthorized IP addresses. Cisco says those entries should be compared against known system IPs in the Cisco Catalyst SD-WAN Manager web interface.

Cisco also recommends checking control connection output for active connections that show state up with no challenge-ack. If those signs appear, customers should open a Cisco TAC case for review.

Indicator	What to review
Auth logs	/var/log/auth.log entries showing accepted publickey for vmanage-admin
Injected key file	/home/vmanage-admin/.ssh/authorized_keys
Control connections	show control connections detail or show control connections-history detail
Suspicious state	state: up with challenge-ack: 0
Network ports	UDP 12346 for vdaemon and TCP 830 for NETCONF over SSH

Fixed Cisco SD-WAN releases

Cisco says there are no workarounds for CVE-2026-20182. Patching is the only full remediation.

Customers should upgrade all SD-WAN control components to a fixed release. Cisco’s remediation guidance says administrators should not wait for TAC scan results before upgrading because the upgrade closes the vulnerability.

Several older branches have reached end of software maintenance and must move to a supported fixed release. Cisco also advises customers to stay within their current major release unless TAC gives different guidance.

Cisco Catalyst SD-WAN release	First fixed release
Earlier than 20.9	Migrate to a fixed release
20.9	20.9.9.1
20.10	20.12.7.1
20.11	20.12.7.1
20.12	20.12.5.4, 20.12.6.2, or 20.12.7.1
20.13	20.15.5.2
20.14	20.15.5.2
20.15	20.15.4.4 or 20.15.5.2
20.16	20.18.2.2
20.18	20.18.2.2
26.1	26.1.1.1

What defenders should do now

Organizations should treat CVE-2026-20182 as an urgent control-plane security issue, not just a routine patch. Cisco SD-WAN controllers manage sensitive network decisions, so compromise can have broad operational impact.

The highest-risk systems are those with exposed controller services or weak management-plane isolation. Admins should verify exposure, collect evidence, upgrade, and review for signs of unauthorized peer activity.

Even after patching, teams should investigate whether attackers already used the vulnerability. A clean upgrade closes the flaw, but it does not automatically remove unauthorized keys or explain suspicious activity that happened before remediation.

1. Identify all Cisco Catalyst SD-WAN Controller and Manager instances.
2. Collect admin-tech files from all control components before upgrading.
3. Upgrade to the correct fixed software release.
4. Review auth.log for unauthorized vmanage-admin public key logins.
5. Check control connection history for unexpected peers.
6. Validate all peer IP addresses against known SD-WAN inventory.
7. Open a Cisco TAC case if indicators of compromise appear.

Rapid7 has published technical details and a Metasploit module, which increases the need for fast remediation. Attackers now have more public guidance on how the vulnerability works.

Cisco’s message is clear: there is no workaround, and fixed software is required. Any organization running affected Cisco SD-WAN control components should prioritize the upgrade and review logs for possible compromise.

FAQ