Cisco SD-WAN Zero-Day CVE-2026-20182: CVSS 10.0 Auth Bypass Gives Attackers Full Admin Access

MobNS

Cisco has patched CVE-2026-20182, a CVSS 10.0 maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller and Manager that has been actively exploited in the wild. It is the sixth Cisco SD-WAN vulnerability confirmed exploited in 2026, underscoring that enterprise SD-WAN management infrastructure is under sustained attack.

The Flaw

CVE-2026-20182 resides in the vdaemon service’s peer authentication mechanism, operating over DTLS on UDP port 12346. A remote, unauthenticated attacker can exploit the flaw to impersonate an authenticated peer of the target Catalyst SD-WAN Controller or Manager — without any credentials. From that foothold, the attacker can inject their own SSH public key into the vmanage-admin account, obtaining persistent privileged SSH access to the appliance.

The vulnerability is configuration-independent: no deployment configuration protects against it. Every Cisco Catalyst SD-WAN release prior to the patch was affected.

Who Is Exploiting It

Cisco Talos attributes observed exploitation to UAT-8616, described as a highly sophisticated threat actor. While exploitation has been limited in scope so far, the combination of CVSS 10.0 severity, zero authentication requirement, and the management-plane access granted by a successful exploit makes this a critical exposure for any organization running Cisco SD-WAN.

Rapid7 discovered the vulnerability while analyzing a prior Cisco SD-WAN CVE and disclosed it to Cisco on March 9, 2026. Cisco confirmed active exploitation before the patch shipped.

CISA Response

CISA issued Emergency Directive 26-03, requiring Federal agencies to apply mitigations by May 17, 2026. Patches are now available for all supported Cisco Catalyst SD-WAN releases.

What to Do Now

Organizations should apply the Cisco patch immediately, audit the vmanage-admin account’s authorized SSH keys for unexpected entries, and monitor DTLS traffic on UDP 12346 for anomalous peer connections. Full technical details and indicators of compromise are available in the Cisco Security Advisory and the Talos blog on ongoing SD-WAN exploitation.

Six exploited SD-WAN CVEs in 2026 is not a coincidence — SD-WAN management planes are a concentrated target. Treat them accordingly.

Related Posts:

  • verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft
  • nsauditor-ai-ee-0-9-2-scanner-observability
  • google-password-manager-shortcut-is-now-available-in-the-play-store
  • google-password-manager-passkey-import-export-android
  • nsauditor-ai-ee-0-6-0-privatelink-auditor-milestone