Cisco SD-WAN Auth Bypass Hits CVSS 10.0, CISA Sets May 17 Deadline

A maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller is now under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of May 17, 2026.

CVE-2026-20182 carries a CVSS score of 10.0—the highest possible rating. The flaw allows unauthenticated remote attackers to bypass authentication entirely and gain administrative privileges on affected devices. Cisco's Product Security Incident Response Team confirmed limited exploitation in the wild, attributed to the threat actor cluster tracked as UAT-8616.

How the Attack Works

The vulnerability targets the vdaemon service, which listens on UDP port 12346 over DTLS. The flaw stems from a malfunction in the peering authentication mechanism that allows attackers to initiate a DTLS connection using a self-signed certificate, then send a crafted message claiming to originate from a high-trust peer type.

Once authenticated as a trusted peer, attackers log into the SD-WAN Controller as an internal high-privileged user account. From there, they can access NETCONF and manipulate network configurations across the entire SD-WAN fabric—potentially rerouting traffic, intercepting communications, or establishing persistent access.

Affected Products

The vulnerability impacts multiple Cisco SD-WAN deployment types:

• Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)
• Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
• On-premises deployments
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

Organizations running internet-accessible SD-WAN management interfaces face the highest risk. The attack requires no authentication, no special headers, and no specific URL patterns—just network reachability to the vulnerable service.

UAT-8616 Threat Actor

According to Rapid7 researchers, UAT-8616 has exploited similar vulnerabilities in Cisco SD-WAN infrastructure since at least 2023. This vulnerability parallels CVE-2026-20127, another CVSS 10.0 flaw that exploited the same vdaemon service—suggesting systematic research into this attack surface.

Cisco Talos published additional analysis of ongoing SD-WAN exploitation patterns that organizations should review for detection guidance and indicators of compromise.

Remediation Steps

1. Patch immediately - Apply the security update from Cisco's advisory
2. Restrict network access - Block UDP port 12346 from untrusted networks
3. Review logs - Check for anomalous DTLS connections or unexpected admin sessions
4. Verify configurations - Audit SD-WAN fabric settings for unauthorized changes
5. Assume compromise - If your controller was internet-exposed, conduct full incident response

Federal agencies must remediate by May 17, 2026 per CISA's KEV requirements. Private sector organizations should treat this deadline as their own—the exploit window is already open.

Why This Matters

SD-WAN controllers sit at the center of enterprise network architecture, managing traffic routing across branch offices, data centers, and cloud environments. Compromising these devices gives attackers visibility into and control over network communications at scale. The active exploitation combined with trivial attack requirements makes this one of the most urgent patches of the month.

This adds to a difficult May for network defenders—Microsoft's Patch Tuesday already delivered 120 vulnerabilities including 17 critical RCEs, and Fortinet disclosed critical flaws in FortiSandbox and FortiAuthenticator just days ago.