Cisco Warns of Maximum-Severity SD-WAN Controller Auth Bypass (CVE-2026-20182) Exploited as Zero-Day
Cisco has confirmed active exploitation of CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller and Manager that allows unauthenticated attackers to gain full administrative privileges.
Cisco has issued an emergency advisory warning that CVE-2026-20182, a maximum-severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, is being actively exploited in zero-day attacks. The flaw carries a CVSS score of 10.0, the highest possible rating, and allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on affected systems.
The vulnerability resides in the peering authentication mechanism of the "vdaemon" service over DTLS on UDP port 12346. According to Rapid7, which discovered the flaw during research into a separate SD-WAN vulnerability (CVE-2026-20127), CVE-2026-20182 is a different issue located in a similar part of the networking stack and is not a patch bypass of the earlier bug. Rapid7's director of vulnerability intelligence Douglas McKee described the situation as attackers becoming "very good at turning centralized network controllers into god-mode access points."
Cisco Talos is tracking the exploitation activity under cluster UAT-8616 with high confidence, noting that exploitation appears to have been limited so far. Talos also reported being aware of additional threat actors, distinct from UAT-8616, exploiting a different set of previously disclosed SD-WAN vulnerabilities. The vulnerability impacts Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) in both on-premises and SD-WAN Cloud deployments.
Cisco has released software updates to address the flaw. The company stated that the issue stems from a peering authentication mechanism that "is not working properly," allowing attackers to exploit the weakness to gain administrative control over the network management platform. Given the critical nature of SD-WAN controllers as centralized network management points, successful exploitation could give attackers broad visibility and control over an organization's entire wide-area network.
Organizations using affected Cisco SD-WAN products are urged to apply patches immediately. No workarounds have been provided, and given the active exploitation in the wild, unpatched systems face imminent risk of compromise. The disclosure follows a pattern of critical vulnerabilities in network management and SD-WAN platforms that provide attackers with centralized access to enterprise networks.