Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS 10.0) Amid China-Nexus Exploitation
Cisco disclosed and patched CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), affecting on-premises and cloud .
VERDICT — CONFIRMED

Cisco disclosed and patched CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), affecting on-premises and cloud deployments including FedRAMP 'SD-WAN for Government.' The flaw resides in the 'vdaemon' peering-authentication service over DTLS (UDP port 12346). Rapid7 researchers Jonah Burgess and Stephen Fewer, who discovered the bug, traced the root cause to missing verification logic in vbond_proc_challenge_ack(): the handshake fails to validate device-type 2 (vHub) peers, so an unauthenticated attacker can complete a DTLS handshake with any self-signed certificate, claim vHub status, and obtain full administrative authentication with no credentials. Post-exploitation, an attacker injects an SSH public key into the vmanage-admin account, logs into the NETCONF service (SSH over TCP 830), and issues arbitrary NETCONF commands to manipulate network configuration.
Cisco PSIRT confirmed limited active exploitation in May 2026, attributing it to UAT-8616, a threat actor Cisco Talos has tracked targeting Cisco SD-WAN infrastructure since at least 2023; Help Net Security reported that UAT-8616 infrastructure overlaps with Operational Relay Box (ORB) networks associated with China-nexus espionage per Google Mandiant. The flaw affects the same vdaemon service as the earlier CVE-2026-20127 but is a distinct issue, not a patch bypass. It does not affect IOS XE SD-WAN edge routers, only the centralized control plane.
Fixes are available in releases including 20.12.7.1, 20.15.5.2 and 26.1.1.1; earlier versions through 20.15 require migration. The Hacker News and CISA materials indicate the CVE was added to the CISA KEV catalog on May 14, 2026. Cisco recommends reviewing logs for 'Accepted publickey for vmanage-admin' entries from suspicious sources.


