CVE-2026-20182

Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Controller (affected versions not specified) Cisco Catalyst SD-WAN Manager (affected versions not specified)

Description A flaw in the peering authentication mechanism of the vdaemon service (UDP port 12346) allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges. The issue occurs because the system fails to properly validate certificates and tokens during the control connection handshaking process, specifically when a device claims to be a vHub device type in the vbond proc challenge ack() function. By sending crafted requests via a DTLS handshake, an attacker can be recognized as a trusted peer and gain access to NETCONF, enabling the manipulation of network configurations, OMP route manipulation, and TLOC table poisoning across the SD-WAN fabric.

Real-world exploitation has been confirmed, including activity by a state-sponsored group designated as UAT-8616. Attackers have been observed injecting SSH keys into /home/vmanage-admin/.ssh/authorized keys for persistent access and deploying malware to steal AWS keys and run miners.

Recommendations Apply the security fixes provided in Cisco Security Advisory cisco-sa-sdwan-rpa2-v69WY2SW. Modify edge firewall rules to drop all traffic targeting controller management or synchronization ports unless it originates from pre-verified static IP addresses of known infrastructure peers. Restrict all inbound external access to NETCONF endpoints. Review controller logs for unauthorized peering attachment sequences or abrupt configuration changes. Perform a full user inventory via the CLI to identify unauthorized secondary administrative accounts. Export global routing and security policy tables to perform a diff analysis against known-good backup baselines.