CVE-2026-20182: Cisco Catalyst SD-WAN Controller Authentication Bypass
A critical authentication bypass vulnerability (CVE-2026-20182) exists in Cisco Catalyst SD-WAN Controller and Manager, allowing unauthenticated remote attackers to gain administrative privileges. This flaw, rated CVSS 10.0, enables manipulation of SD-WAN fabric configurations. Organizations using affected Cisco SD-WAN products should prioritize patching.
Overview
CVE-2026-20182 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). An unauthenticated, remote attacker can exploit this flaw to bypass authentication, obtain administrative privileges, and manipulate network configurations within the SD-WAN fabric. This vulnerability is rated 10.0 CVSSv3.1 and is listed in CISA’s Known Exploited Vulnerabilities Catalog.
Technical Analysis
This vulnerability stems from improper functioning of the peering authentication mechanism in affected Cisco Catalyst SD-WAN systems. An attacker can exploit this by sending crafted requests to the vulnerable system.
- Vulnerability Type: Authentication Bypass (CWE-287)
- Affected Products: Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage).
- Attack Vector: Network (AV:N).
- Prerequisites: No authentication or user interaction required (PR:N, UI:N).
- Exploitation: An unauthenticated, remote attacker sends crafted requests to the affected system.
- Impact: Successful exploitation grants the attacker administrative privileges, allowing them to log in as an internal, high-privileged, non-root user account. From this account, the attacker can access NETCONF to manipulate network configuration for the SD-WAN fabric.
- CVSS 3.1 Score: 10.0 (CRITICAL)
- CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Detection
Detection efforts should focus on identifying unusual access or configuration changes on SD-WAN control plane devices.
- Monitor authentication logs on Cisco Catalyst SD-WAN Controller and Manager for successful logins from unexpected source IPs or user accounts that do not correspond to legitimate administrators.
- Look for unauthorized or unexpected configuration changes within the SD-WAN fabric, particularly those related to NETCONF access or network policies.
- Regularly review the output of
Show Control Connectionson SD-WAN devices for any anomalies or unauthorized peering connections, as mentioned in Cisco’s advisory. - Implement network segmentation and monitoring to detect traffic patterns indicative of crafted requests targeting SD-WAN control plane interfaces from unauthorized sources.
Mitigations
Prioritize applying vendor-provided patches and implementing network access controls.
- Apply Security Patches: Immediately apply the security updates provided by Cisco to address CVE-2026-20182. Refer to the Cisco Security Advisories for specific version requirements and upgrade paths.
- Restrict Network Access: Limit network access to Cisco Catalyst SD-WAN Controller and Manager interfaces to only trusted administrative networks and devices. Implement strict firewall rules to prevent unauthorized external access to these systems.
- Monitor Control Plane Activity: Continuously monitor the control plane of your SD-WAN infrastructure for any unusual activity, unauthorized access attempts, or configuration modifications.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-20182
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20182
Indicators of Compromise
No public IOCs available at time of writing.
MITRE ATT&CK
Generated by
gemini-2.5-flash ·1,364 input / 1,080 output tokens ·
Reviewed and approved by a human analyst before publication