Cisco has released fixes for a maximum-severity authentication bypass in Catalyst SD-WAN Controller that the company said was exploited in limited attacks in May 2026. The flaw, tracked as CVE-2026-20182, has a CVSS score of 10.0.
KEY FACTS
- Vulnerability CVE-2026-20182 allows remote attackers to bypass authentication and gain administrative access.
- Impact A successful exploit can let an attacker reach NETCONF and alter SD-WAN network settings.
- Affected systems On-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP government deployments are impacted.
- Risk Internet-facing controllers with exposed ports are at increased risk of compromise.
In a security advisory, Cisco said the flaw stems from a malfunction in peering authentication in Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. The issue could let an unauthenticated remote attacker send crafted requests to the affected system.
A successful exploit could log the attacker in as an internal, high-privileged non-root user account. That access could then be used to reach NETCONF and manipulate the network configuration for the SD-WAN fabric.
The report said the flaw affects on-premises deployments as well as Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud, and Cisco SD-WAN for Government. Cisco also advised customers to check /var/log/auth.log for entries tied to accepted publickey events for vmanage-admin from unknown or unauthorized IP addresses.
Rapid7 said the vulnerability affects the vdaemon service over DTLS on UDP port 12346. The company said it is not a patch bypass of CVE-2026-20127, another critical authentication bypass in the same component, but a different issue in a similar part of the networking stack.
Indicators of compromise include suspicious peering events at unexpected times, connections from unrecognized IP addresses and device types that do not match the environment. Cisco urged customers to apply updates as soon as possible.
WHY IT MATTERS
The flaw affects systems that can control SD-WAN infrastructure, which means successful exploitation could give an attacker broad administrative reach inside a network. The disclosure also adds to concerns about repeated high-severity authentication bypass issues in the same Cisco component.