Overview
CVE-2026-20182 is a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). An unauthenticated remote attacker can bypass authentication and obtain administrative privileges by exploiting a missing code path in the vdaemon DTLS peering handler — no credentials, no race conditions, no prior access required. Cisco confirmed limited in-the-wild exploitation clustered under threat actor UAT-8616, a sophisticated actor assessed to have been targeting Cisco SD-WAN infrastructure since at least 2023.
What is Cisco Catalyst SD-WAN?
Cisco Catalyst SD-WAN (formerly Cisco SD-WAN / Viptela) is a widely deployed enterprise and government software-defined wide area networking platform. It separates the control plane from the data plane, centralizing network policy through the SD-WAN Controller (vSmart) and management through the SD-WAN Manager (vManage). These components orchestrate routing, security policies, and traffic engineering across hundreds or thousands of branch sites and cloud connections.
SD-WAN controllers are high-value targets: a compromised controller can redirect traffic, manipulate routing tables, insert malicious policies, and provide persistent access to the entire enterprise WAN fabric without touching individual branch devices. Organizations running Cisco Catalyst SD-WAN include large enterprises, ISPs, managed service providers, and U.S. federal agencies — making active exploitation by a long-running sophisticated threat actor particularly significant.
Affected Versions
The vulnerability affects Cisco Catalyst SD-WAN Controller and SD-WAN Manager. Branches 20.13 and 20.14 are end-of-life and will not receive fixes.
| Software Branch | Fixed Version |
|---|---|
| 20.9.x | 20.9.9.1 |
| 20.12.x | 20.12.5.4 / 20.12.6.2 / 20.12.7.1 |
| 20.15.x | 20.15.4.4 / 20.15.5.2 |
| 20.18.x | 20.18.2.2 |
| 26.1.x | 26.1.1.1 |
| 20.13–20.14 | End-of-life — no fix; migrate to supported release |
For the complete version matrix across all 20.10–20.18 minor branches, see the Cisco security advisory.
Technical Details
Root Cause: Missing vHub Code Path in vdaemon DTLS Authentication
The vulnerability is in the vdaemon service, which handles DTLS (Datagram Transport Layer Security) control-plane peering over UDP port 12346. This port carries Overlay Management Protocol (OMP) messages including route advertisements, TLOC tables, and peer state between SD-WAN components.
During the CHALLENGE_ACK authentication phase, the handler validates device type against known values:
| Device Type | Value | Authentication Check |
|---|---|---|
| vEdge | 1 | Present — credentials validated |
| vHub | 2 | Absent — no code path |
| vSmart / Controller | 3 | Present — credentials validated |
| vManage | 5 | Present — credentials validated |
An attacker claiming device_type = 2 (vHub) causes the authentication function to unconditionally set the authenticated flag without performing any credential validation. The only material requirement is a DTLS connection with any self-signed certificate.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — UDP port 12346 |
| Privileges Required | None |
| User Interaction | None |
| Race Condition Required | No — deterministic |
| Workaround Available | No |
| Scope | Changed — controller compromise affects entire SD-WAN fabric |
Exploitation Mechanism
- Attacker opens a DTLS connection to the SD-WAN Controller on UDP port 12346 with any self-signed certificate
- Controller sends a CHALLENGE message
- Attacker responds with CHALLENGE_ACK claiming
device_type = 2(vHub) - Authentication handler finds no code path for type 2 and sets the authenticated flag unconditionally
- Attacker sends message type 14 to inject an SSH public key into the
vmanage-adminauthorized_keys file - Attacker establishes persistent NETCONF access on port 830 using the injected key
- From NETCONF, the attacker can read and manipulate the full SD-WAN network configuration
Discovery and Background
CVE-2026-20182 is the latest in a series of authentication weaknesses in Cisco's SD-WAN peering stack. A related earlier vulnerability, CVE-2026-20127, was the subject of CISA Emergency Directive 26-03 issued February 25, 2026, after confirmed exploitation by UAT-8616. Cisco discovered limited exploitation of CVE-2026-20182 in May 2026, published the advisory on May 14, and CISA added it to the KEV catalog the same day with the shortest possible remediation window — three days.
Exploitation Context
Cisco Talos has attributed active exploitation to UAT-8616, a highly sophisticated threat actor assessed to have been targeting Cisco Catalyst SD-WAN infrastructure since at least 2023. The campaign predates the February 2026 CISA emergency directive and continues through this CVE.
UAT-8616's observed post-compromise playbook:
| Technique | Detail |
|---|---|
| Persistence | SSH public key injection into vmanage-admin; creation of malicious local user accounts |
| Privilege escalation | Software version downgrade chained with CVE-2022-20775 (path traversal) to obtain root |
| Defense evasion | Clearing of bash history, syslog, and audit logs to destroy forensic evidence |
| Impact | Manipulation of SD-WAN routing and security policies across the entire managed fabric |
No nation-state attribution has been published. UAT-8616 is characterized as "highly sophisticated," targeting critical infrastructure and high-value organizations. The pattern — targeting the network control plane rather than endpoints — is consistent with intelligence-gathering or pre-positioning for disruptive operations.
Remediation
There are no workarounds. Patching is the only mitigation.
-
Apply the patched software version for your branch:
- 20.9.x → 20.9.9.1
- 20.12.x → 20.12.5.4, 20.12.6.2, or 20.12.7.1
- 20.15.x → 20.15.4.4 or 20.15.5.2
- 20.18.x → 20.18.2.2
- 26.1.x → 26.1.1.1
- 20.13–20.14: end-of-life — migrate to a supported release
-
Follow CISA Emergency Directive 26-03 mandatory requirements:
- Inventory all Cisco Catalyst SD-WAN Controller and Manager instances
- Ensure SD-WAN logs are stored externally and accessible from a centralized location
- Review logs for unauthorized peering connections, new user accounts, SSH key injection, or version downgrade activity
-
Follow the CISA Hunt & Hardening Guidance for specific indicators of compromise and hardening steps.
-
Audit
authorized_keysand local user accounts on SD-WAN Controller and Manager for unexpected entries — UAT-8616 achieves persistence via SSH key injection and rogue accounts that survive patching. -
Restrict UDP port 12346 to known SD-WAN peers at the network perimeter where operationally possible, as a defense-in-depth measure.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-20182 |
| Vendor / Product | Cisco — Catalyst SD-WAN |
| NVD Published | 2026-05-14 |
| NVD Last Modified | 2026-05-14 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-287 — Improper Authentication find similar ↗ |
| CISA KEV Added | 2026-05-14 |
| CISA KEV Deadline | 2026-05-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-01-01 | UAT-8616 begins active exploitation of Cisco Catalyst SD-WAN infrastructure; campaign later assessed to have been running since at least 2023 |
| 2026-02-25 | CISA issues Emergency Directive 26-03 and releases joint guidance with partners on global exploitation of Cisco SD-WAN by UAT-8616, covering CVE-2026-20127 and related vulnerabilities |
| 2026-05-14 | Cisco publishes security advisory for CVE-2026-20182; vulnerability added to CISA KEV catalog with 3-day deadline; Cisco confirms limited in-the-wild exploitation |
| 2026-05-17 | CISA BOD 22-01 remediation deadline |