Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access

Discover more mobile VPN services Cloud security solutions HomeCyber Security Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access By Guru Baran May 15, 2026 A maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller is being actively exploited in the wild, allowing unauthenticated remote attackers to fully bypass authentication and seize administrative control of enterprise network infrastructure. Tracked as CVE-2026-20182 with a CVSS score of 10.0, the flaw puts SD-WAN deployments across on-premises, cloud, and government environments at critical risk. Cisco Catalyst SD-WAN Controller 0-Day Discovered by Rapid7 Labs researchers Stephen Fewer and Jonah Burgess while investigating a prior SD-WAN vulnerability (CVE-2026-20127), the new flaw exists in the vdaemon service operating over DTLS on UDP port 12346, the same control-plane peering service exploited in February 2026. The vulnerability is rooted in a logic gap within the vbond_proc_challenge_ack() function, which performs device-type-specific certificate verification during the control connection handshake. The authentication logic validates peers that identify as vSmart (type 3), vManage (type 5), and vEdge (type 1) but contains no verification code for vHub (device type 2). An attacker sending a CHALLENGE_ACK message claiming to be a vHub bypasses all certificate checks, causing the peer authentication flag to be set unconditionally to true. No valid credentials, no CA-signed certificate, and no knowledge of the target SD-WAN topology are required for exploitation. According to Rapid7 researchers, the full exploit chain is remarkably streamlined: DTLS handshake with any self-signed certificate → receive CHALLENGE → send CHALLENGE_ACK with device type 2 (vHub) → authentication flag set → send Hello message → peer transitions to UP state as a fully trusted control-plane node. Once authenticated, the attacker abuses the MSG_VMANAGE_TO_PEER message handler (vbond_proc_vmanage_to_peer()), which appends attacker-controlled SSH public keys directly to /home/vmanage-admin/.ssh/authorized_keys — with no input sanitization. This converts a transient peering session into persistent, credential-independent SSH access to the NETCONF service on TCP port 830 as the high-privileged vmanage-admin account. Using this account, an attacker can issue arbitrary NETCONF commands to read and manipulate running network configurations across the entire SD-WAN fabric. A working Metasploit module demonstrating the vHub authentication bypass and key injection has been developed by Rapid7 and is scheduled for full public release on May 27, 2026. CVE-2026-20182 affects Cisco Catalyst SD-WAN Controller and SD-WAN Manager regardless of configuration, spanning all deployment types, including On-Prem, SD-WAN Cloud-Pro, Cisco Managed Cloud, and SD-WAN for Government (FedRAMP). The Cisco Product Security Incident Response Team (PSIRT) confirmed limited active exploitation of the vulnerability in May 2026. Defenders should audit /var/log/auth.log for entries showing Accepted publickey for vmanage-admin from unauthorized IP addresses. Administrators should also run show control connections detail or show control connections-history detail from Controller/Manager CLIs, watching for state:up alongside challenge-ack: 0, which indicates a peer was authenticated without completing the challenge handshake. Indicators of Compromise (IOC) IOC Type Value / Description Log File /var/log/auth.log Suspicious Entry Accepted publickey for vmanage-admin from unknown IP Injected File /home/vmanage-admin/.ssh/authorized_keys (unauthorized key appended) Suspicious Port DTLS UDP/12346 (vdaemon), TCP/830 (NETCONF SSH) CVE CVE-2026-20182 CVSS Score 10.0 (Critical) CWE CWE-287: Improper Authentication Cisco has confirmed there are no workarounds for this vulnerability — patching is the only remediation. Before upgrading, customers must run the request admin-tech command on all control components to preserve potential forensic evidence of compromise. Key fixed releases include 20.12.5.4 / 20.12.6.2 / 20.12.7.1 for the 20.12 branch, 20.15.4.4 / 20.15.5.2 for 20.15, 20.18.2.2 for 20.18, and 26.1.1.1 for the 26.1 branch. Releases earlier than 20.9, as well as versions 20.10, 20.11, 20.13, 20.14, and 20.16, have reached end-of-software maintenance and must migrate to a supported fixed release. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks JDownloader Downloader Hacked to Infect Users With New Python RAT Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks Zoom Rooms and Workplace Vulnerabilities Allow Attackers to Escalate Privileges Critical SandboxJS Escape Vulnerability Enables Host Takeover Latest News Cyber Security News Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network Cyber Security News New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass Cyber Attack News node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain Attack Cyber Security News Anthropic’s Mythos AI Reportedly Found macOS Vulnerabilities that Could Bypass Apple Security Cyber Security News Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets