PT-2026-40959 · Cisco · Catalyst Sd-Wan Manager+1
Jonah Burgess
+1
·
Published
2026-05-14
·
Updated
2026-06-29
·
CVE-2026-20182
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cisco Catalyst SD-WAN Controller (affected versions not specified)
Cisco Catalyst SD-WAN Manager (affected versions not specified)
Cisco Catalyst SD-WAN Validator (affected versions not specified)
Description
A flaw in the peering authentication mechanism of the control connection handshaking allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges. The issue exists because the system fails to properly validate incoming certificates and tokens during inter-controller session setups, specifically within the
vdaemon service. By sending crafted requests—such as a DTLS connection with a self-signed certificate—an attacker can mimic a trusted peer and be granted a high-privileged internal user account. This access enables the use of NETCONF to manipulate global routing tables, inject malicious routing policies, and modify network configurations across the entire SD-WAN fabric. This issue has been actively exploited in the wild by sophisticated threat actors, including the group UAT-8616, to deploy SSH keys, install web shells, and run cryptocurrency miners.Recommendations
Apply the security fixes provided in Cisco Security Advisory cisco-sa-sdwan-rpa2-v69WY2SW.
Restrict management-plane access to known administrative IP ranges via Access Control Lists (ACLs) to ensure the peering authentication endpoint is not reachable from arbitrary network sources.
Restrict all inbound external access to NETCONF endpoints.
Audit peering logs for unauthorized attachment sequences and inspect user databases for unauthorized secondary administrative accounts.
Fix
RCE
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Catalyst Sd-Wan Controller
Catalyst Sd-Wan Manager