THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-30D-001
CYBER · cves zero days · 2026-05-14SCOOP 78

Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS 10.0) Amid China-Nexus Exploitation

Cisco disclosed and patched CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), affecting on-premises and cloud .

·FILED 2026-05-14·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

VERDICT — CONFIRMED

QA-reviewed confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS 10.0) Ami
Rapid7

Cisco disclosed and patched CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), affecting on-premises and cloud deployments including FedRAMP 'SD-WAN for Government.' The flaw resides in the 'vdaemon' peering-authentication service over DTLS (UDP port 12346). Rapid7 researchers Jonah Burgess and Stephen Fewer, who discovered the bug, traced the root cause to missing verification logic in vbond_proc_challenge_ack(): the handshake fails to validate device-type 2 (vHub) peers, so an unauthenticated attacker can complete a DTLS handshake with any self-signed certificate, claim vHub status, and obtain full administrative authentication with no credentials. Post-exploitation, an attacker injects an SSH public key into the vmanage-admin account, logs into the NETCONF service (SSH over TCP 830), and issues arbitrary NETCONF commands to manipulate network configuration.

Cisco PSIRT confirmed limited active exploitation in May 2026, attributing it to UAT-8616, a threat actor Cisco Talos has tracked targeting Cisco SD-WAN infrastructure since at least 2023; Help Net Security reported that UAT-8616 infrastructure overlaps with Operational Relay Box (ORB) networks associated with China-nexus espionage per Google Mandiant. The flaw affects the same vdaemon service as the earlier CVE-2026-20127 but is a distinct issue, not a patch bypass. It does not affect IOS XE SD-WAN edge routers, only the centralized control plane.

Fixes are available in releases including 20.12.7.1, 20.15.5.2 and 26.1.1.1; earlier versions through 20.15 require migration. The Hacker News and CISA materials indicate the CVE was added to the CISA KEV catalog on May 14, 2026. Cisco recommends reviewing logs for 'Accepted publickey for vmanage-admin' entries from suspicious sources.

Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-30d-001 · filed 2026-05-14 · https://thedwire.com/wire/cyb-30d-001-cisco-patches-maximum-severity-catalyst-sd-wan-auth-bypass.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
CVE-2026-0246: Prisma Access Agent flaw lets non-admin users escalate to root or
Photo: Namaste jinx · via Wikimedia Commons · CC BY-SA 4.0
CYBER · SCOOP 57

CVE-2026-0246: Prisma Access Agent flaw lets non-admin users escalate to root or SYSTEM (Severity: MEDIUM)

Palo Alto Networks' May 13 advisory for CVE-2026-0246 describes a privilege-management flaw in the Prisma Access Agent that enables a locally authenticated non-administrative user to escalate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, allowing arbitrary code execution and access to sensitive information otherwise reser

✓ verifiednewSOURCE ↗
READ THE FILE ›
Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — Fi
Malwarebytes / Microsoft
CYBER · SCOOP 52

Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — First Since June 2024

Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024. Tallies varied slightly by source: BleepingComputer and several outlets reported approximately 120 CVEs including 17 critical (with 14 remote-code-execution flaw

✓ verified
READ THE FILE ›
Instructure Pays Ransom After ShinyHunters Breaches Canvas Twice, Claiming 275 M
Inside Higher Ed
CYBER · SCOOP 84

Instructure Pays Ransom After ShinyHunters Breaches Canvas Twice, Claiming 275 Million Records From ~8,800 Schools

Instructure, operator of the Canvas learning-management system, paid a ransom to the extortion group ShinyHunters after two breaches of Canvas within roughly ten days, in what reporting describes as the largest education-sector data incident on record. ShinyHunters claimed to have stolen 3.65 TB of data on approximately 275 million users

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.