Data Breach TodayArchived May 16, 2026✓ Full text saved
Broken vdaemon Peering Authentication Enables Unauthenticated Admin Access A maximum-severity vulnerability in Cisco Catalyst SD-WAN Controller is being actively exploited, giving attackers administrative privileges without authentication. The authentication bypass vulnerability stems from a broken peering authentication mechanism.
Full text archived locally
✦ AI Summary· Claude Sonnet
Network Firewalls, Network Access Control , Security Operations
New Cisco SD-WAN Zero-Day Grants Admin Access
Broken vdaemon Peering Authentication Enables Unauthenticated Admin Access
Tiffany Wang • May 15, 2026
Credit Eligible
Get Permission
Image: Anucha Cheechang/Shutterstock
A maximum-severity vulnerability in Cisco Catalyst SD-WAN Controller is being actively exploited, giving attackers administrative privileges without authentication.
See Also: Multi-Cloud Security Drives Firewall Evolution
The authentication bypass vulnerability, assigned CVE-2026-20182 with a CVSS score of 10, stems from a broken peering authentication mechanism in the vdaemon service. It allows attackers to manipulate SD-WAN's network configuration.
The U.S. Cybersecurity and Infrastructure Agency added the flaw Thursday to its catalog of known exploited vulnerabilities and gave federal agencies until Sunday to fix it.
Cisco attributes the exploit to a threat actor it tracks as UAT-8616, which had previously breached the same service in SD-WAN in hacking incidents dating back to 2023. While the new vulnerability abuses a different issue in the networking service, the two exploits followed the same steps of execution.
"UAT-8616 attempted to add SSH keys, modify NETCONF configurations and escalate to root privileges," Cisco's threat intelligence team Talos said.
Cisco said UAT-8616 targets critical infrastructure sectors, and its infrastructure overlaps with operational relay box networks monitored by Cisco Talos. ORB networks are collections of servers and hacked internet-connected devices frequently linked to Chinese espionage.
Cybersecurity firm Rapid7 discovered the latest exploit while researching the previous SD-WAN vulnerability. The flaw exposes several ports including UDP 12346 - the control-plane peering port used by vdaemon as a trusted communications channel between controllers and edge devices.
UDP port 12346 "carries Overlay Management Protocol (OMP) messages including route advertisements, Transport Locations (TLOC) tables and peer state - the entirety of the SD-WAN overlay routing fabric. Compromising this service means compromising the network," Rapid7 researchers Jonah Burgess and Stephen Fewer said.
Cisco said it found limited exploitation of the vulnerability this month, recommending its customers to upgrade to fixed software releases.
The new round of SD-WAN exploitation comes as Cisco announced a 4,000-person layoff this week and told investors it has incorporated Anthropic's Mythos into its production system and patch development.
Other vulnerabilities in SD-WAN, CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122, are also being exploited since March following public proof-of-concept code.
"Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information and overwrite arbitrary files," Cisco said.