Exploits

Cisco SD-WAN Authentication Bypass Zero Day Gets CVSS 10

Published  ·  9 min read

Cisco has released emergency updates for a critical vulnerability in its Catalyst SD-WAN Controller, and the flaw carries a CVSS score of 10.0 which is the highest possible severity rating.

The Cisco SD-WAN authentication bypass zero day is tracked as CVE-2026-20182, and Cisco confirmed that the vulnerability has been exploited in limited attacks already.

The flaw allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system, and the attacker can then manipulate network configuration for the entire SD-WAN fabric.

What Is Catalyst SD-WAN?

Cisco Catalyst SD-WAN (Software-Defined Wide Area Network) is the name of Cisco's new technology previously called SD-WAN vSmart and vManage. This solution allows organizations to manage their network traffic similar to other technologies. However, it provides additional security, is much easier to implement and is able to operate across multiple data centers.

The zero-day vulnerability related to Cisco's SD-WAN authentication bypass exploits the vulnerability within the peering authentication mechanism used to authenticate each other for the purpose of sharing network information between the various SD-WAN components.

A malfunction in this authentication mechanism allows an attacker to send crafted requests to the affected system, and the system mistakenly treats the attacker as an authenticated peer.

The vdaemon Service

The Cisco SD-WAN authentication bypass zero day resides in the vdaemon service, and this service communicates over DTLS on UDP port 12346.

Rapid7 researchers Jonah Burgess and Stephen Fewer discovered CVE-2026-20182, and they noted that the new vulnerability is not a patch bypass of a previous flaw, it is a different issue located in a similar part of the vdaemon networking stack.

The previous vulnerability was CVE-2026-20127, which also had a CVSS score of 10.0, and that flaw was exploited by a threat actor called UAT-8616 since at least 2023.

The Cisco SD-WAN authentication bypass zero day affects the same service on the same port, but it is a different underlying bug, and Rapid7 confirmed that the patch for CVE-2026-20127 does not protect against this new flaw.

What Can Be Done By an Attacker

By succeeding in the Cisco SD-WAN authentication bypass zero day exploit, an attacker is then able to log into the Cisco Catalyst SD-WAN Controller with an internal high privileged user account (not root). Once logged into the controller, an attacker can access NETCONF (a network configuration protocol) and can make changes to the network configuration of the entire SD-WAN Fabric.

The Cisco SD-WAN authentication bypass zero day essentially gives the attacker control over how network traffic flows across the organization's SD-WAN, they could redirect traffic, intercept communications, or cause outages.

This level of access on an SD-WAN controller is catastrophic because the controller manages all branch office routers and network policies.

Affected Deployments

The Cisco SD-WAN authentication bypass zero day affects multiple deployment types including on-premises deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

Any organization using Cisco Catalyst SD-WAN should assume they are vulnerable if they have not applied the latest updates.

Cisco noted that systems accessible over the internet with exposed ports are at increased risk of compromise, and attackers are actively scanning for vulnerable SD-WAN controllers.

Limited Exploitation Detected

In May of 2026, Cisco became aware of limited exploitation of the Cisco SD-WAN authentication bypass zero-day vulnerability, and have urged customers to get the latest updates in a hurry. 

Malicious actors are currently using this vulnerability to target systems where it can be exploited since it is currently very common and publicly known how to leverage this vulnerability.

Limited exploitation often means the attacks are targeted rather than widespread, but targeted attacks on SD-WAN controllers can cause enormous damage to specific organizations.

Indicators of Compromise

Cisco provided several indicators that organizations can use to detect exploitation of the Cisco SD-WAN authentication bypass zero day:

1. Use /var/log/auth.log to look up logs that contain both the phrase 'Accepted publickey for vmanage-admin' and the phrase 'from unrecognized or unauthorized address' when establishing a connection for the user vmanage-admin using a public key.

2. Review peer logs for possible suspicious event pairs. Search the peer logs for signs of the Cisco SD-WAN Authentication Bypass Zero Day Attack, including, but not limited to, authentication attempts from unknown IP addresses, authentication attempts from unrecognized types of devices, or authentication attempts made at odd times.

3. Monitor UDP Port 12346 (the vdaemon service listens). Any outbound traffic that is not from a recognized source (IP address) may be trying to compromise the system.

Similarities to CVE-2026-20127

The Cisco SD-WAN authentication bypass zero day has echoes of CVE-2026-20127, which was another critical authentication bypass affecting the same component.

CVE-2026-20127 was exploited by a threat actor called UAT-8616 since at least 2023, and that actor may have been the first to discover the attack surface.

Rapid7 explained that the new vulnerability is not a patch bypass, it is a different issue located in a similar part of the vdaemon networking stack, but the end result is the same, a remote unauthenticated attacker can abuse the vulnerability to become an authenticated peer and carry out privileged operations.

The fact that two separate CVSS 10 flaws exist in the same component suggests that the vdaemon authentication design may need broader review.

Who Discovered the Flaw

The Cisco SD-WAN authentication bypass zero day was discovered by Rapid7, which is a cybersecurity company known for the Metasploit framework and vulnerability research.

Rapid7 researchers Jonah Burgess and Stephen Fewer analyzed the vdaemon service and found the authentication bypass, they reported it to Cisco through coordinated disclosure.

Cisco acknowledged the vulnerability and released patches, but not before limited exploitation was detected in the wild.

NETCONF Risks

One of the most concerning aspects of the Cisco SD-WAN Authentication Bypass Zero-Day Exploit is that after a successful exploitation of the vulnerability that allows for authentication bypass in Cisco SD-WAN, an attacker will have access to NETCONF.

NETCONF (Network Configuration Protocol) is defined in RFC 6241, and allows for programmatic configuration of network devices over a secured connection.

An attacker with NETCONF access to an SD-WAN controller can read the entire network configuration, modify routing policies, change security settings, add new network devices, and delete existing configurations.

The Cisco SD-WAN authentication bypass zero day gives attackers the keys to the entire network kingdom.

How to Protect Your SD-WAN

The Cisco SD-WAN authentication bypass zero day is serious, and organizations need to act immediately:

1. Apply the patch immediately. Cisco has released updates for the Cisco SD-WAN authentication bypass zero day, install them as soon as possible, do not wait for a scheduled maintenance window.

2. Restrict the access to UDP port 12346. If you are unable to patch at this time, limit access to UDP port 12346 to trusted IP addresses only. The Cisco SD-WAN authentication bypass zero day requires access to the UDP port for network access.

3. Review your logs for indications of compromise. You should search for any unauthorized vmanage-admin authentication and evaluate the peering events to identify anything suspicious. If you see evidence that you have been exploited, you can reasonably assume that you have given your attacker total access to your entire SD-WAN infrastructure.

4. Monitor for unexpected NETCONF changes. The Cisco SD-WAN authentication bypass zero day allows attackers to modify network configuration through NETCONF, monitor for unexpected configuration changes.

5. Consider internet exposure. Cisco noted that systems accessible over the internet with exposed ports are at increased risk, if your SD-WAN controller is internet-facing, move it behind additional firewall layers.

The UAT-8616 Threat Actor

The Cisco SD-WAN authentication bypass zero day is not the first time this component has been targeted, CVE-2026-20127 was exploited by a threat actor called UAT-8616 since at least 2023.

UAT-8616 is a tracked threat actor, and their focus on SD-WAN controllers suggests they are interested in network infrastructure rather than end-user systems.

The same actor may be behind the limited exploitation of CVE-2026-20182, but Cisco did not attribute the new attacks to any specific group.

Final Thoughts

The Cisco SD-WAN authentication bypass zero day is exactly the kind of vulnerability that keeps network administrators awake at night, it requires no authentication, it works remotely over the network, and it gives attackers full administrative control.

The Cisco SD-WAN authentication bypass zero day has a perfect CVSS score of 10.0, and Cisco confirmed limited exploitation in May 2026, meaning the attacks are already happening.

If you run Cisco Catalyst SD-WAN, stop reading and check your patch status right now, update immediately, audit your logs, and assume that if your controller was internet-facing, someone may have already found it.

FAQ Section

What is CVE-2026-20182?

CVE-2026-20182 is a Cisco SD-WAN authentication bypass zero day with a CVSS score of 10.0, the flaw affects Catalyst SD-WAN Controller and allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system.

Has exploitation of the Cisco SD-WAN authentication bypass (CVE-2026-20182) occurred? 

There was ongoing exploitation of the vulnerability prior to May 2022 and examples have also been documented, according to Yahoo. To resolve fix this issue, organizations should implement these fixes AS SOON AS POSSIBLE.

Which services and ports will be impacted by CVE-2026-20182? 

Both vdaemon service exposed over dtls (udp port 12346) and CVE-2026-20127 are affected.

Is this an extension of CVE-2026-20127 exploit, or is it a new exploit in its own right?

According to Rapid7, it is a newly identified vulnerability because it has been discovered within proximity of the first, but ultimately has the same endpoint result as CVE-2026-20127.

What should I do to figure out if my Cisco SD-WAN has been accessed without permission due to an 0-day vulnerability concerning authentication bypass on SD-WAN?

Review all readings of the /var/log/auth.log file for accepted publickey by the vmanage-admin being accepted by an unknown source. Also, review the connections of your peer and the times that they were connected to ensure there was no unexpected access to the Cisco SD-WAN network from unknown peer sources.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067