Cisco SD-WAN CVSS 10 Flaw Under Active Attack — Patch Now

Cisco has confirmed active exploitation of a maximum-severity authentication bypass in its Catalyst SD-WAN Controller product line. The flaw, tracked as CVE-2026-20182, carries a CVSS score of 10.0 and allows unauthenticated remote attackers to obtain full administrative privileges on affected systems.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog this week, requiring federal agencies to remediate before the deadline.

What's Happening

The vulnerability exists in the peering authentication mechanism used by Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). An attacker can send specially crafted requests to bypass authentication entirely and log in as a high-privileged internal user account.

Once in, attackers can access NETCONF interfaces and manipulate network configurations across the entire SD-WAN fabric. For organizations relying on SD-WAN for branch connectivity and cloud access, this is about as bad as it gets.

The flaw affects the "vdaemon" service over DTLS on UDP port 12346—the same service previously exploited via CVE-2026-20127, though Cisco emphasizes this is a separate vulnerability, not a patch bypass.

Who's Affected

The vulnerability impacts multiple deployment models:

• On-premises Cisco Catalyst SD-WAN deployments
• Cisco SD-WAN Cloud-Pro environments
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

Organizations exposing management interfaces to the internet are at highest risk. Rapid7, which discovered the flaw, noted that internet-accessible systems with exposed ports face immediate danger.

Active Exploitation Confirmed

Cisco's Product Security Incident Response Team (PSIRT) confirmed "limited exploitation" in May 2026. The activity clusters under UAT-8616, a sophisticated threat actor that previously exploited CVE-2026-20127 in SD-WAN environments as far back as 2023.

The pattern suggests UAT-8616 maintains persistent interest in SD-WAN infrastructure, likely for network-level access that enables broader espionage or disruptive operations. This follows a trend we covered in our analysis of SonicWall VPN MFA bypasses being chained with ransomware deployments.

Detection Guidance

Security teams should audit authentication logs immediately. According to Rapid7's advisory, look for:

1. SSH authentication anomalies — Check /var/log/auth.log for entries showing "Accepted publickey for vmanage-admin" from unknown or unauthorized IP addresses
2. Unexpected peering events — Investigate any peering relationships with unfamiliar IP origins
3. Configuration changes — Review NETCONF activity for unauthorized modifications

Recommended Actions

1. Patch immediately — Apply Cisco's fixed software release. There are no workarounds that fully address this vulnerability
2. Isolate management interfaces — If patching isn't immediately possible, ensure SD-WAN management ports (especially UDP 12346) aren't exposed to untrusted networks
3. Audit existing access — Review authorized SSH keys and admin accounts for unauthorized additions
4. Enable logging — Ensure authentication and configuration change logs are being collected and monitored

Why This Matters

CVSS 10 vulnerabilities don't come along often. When they do—and they're under active exploitation—the response window shrinks dramatically. SD-WAN has become critical infrastructure for distributed enterprises, connecting hundreds or thousands of branch locations to cloud workloads and data centers.

Compromise at the controller level means attackers can intercept traffic, redirect communications, or pivot to connected systems across the entire fabric. The threat actor already exploiting this has demonstrated sustained capability and interest in this attack surface.

For organizations running Cisco SD-WAN, this should be an all-hands remediation. Check your exposure, patch what you can, and assume compromise if you've had management interfaces exposed.

---

This vulnerability was disclosed by Rapid7. Cisco's advisory is available at sec.cloudapps.cisco.com.