Summary

A critical vulnerability, identified as CVE-2026-20182, has been discovered in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. This flaw allows an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on affected systems. Successful exploitation could allow attackers to manipulate network configurations within the SD-WAN fabric.

Affected Systems and/or Applications

Technical Details

The vulnerability is caused by improper validation within the control connection handshaking and peering authentication process of Cisco Catalyst SD-WAN Controller and SD-WAN Manager.

The issue resides in the vdaemon service, a core SD-WAN process responsible for orchestrating secure control-plane communications, controller peering, and management synchronization between SD-WAN components. The service handles DTLS-based control connections used throughout the SD-WAN fabric.

The vulnerable service listens on UDP port 12346 and processes incoming DTLS peering requests. Successful exploitation requires network access to the affected system over UDP port 12346, which is used for SD-WAN control-plane and peering communications.

During establishment of SD-WAN control connections, the vdaemon service performs certificate-based peer authentication to validate trusted devices participating in the SD-WAN fabric. The vulnerability stems from improper validation logic within device-type-specific authentication handling, which can result in certain peer connections being incorrectly treated as authenticated.

This flaw may allow an unauthenticated remote attacker to impersonate a trusted SD-WAN peer and establish unauthorized control-plane communications with affected systems.

Successful exploitation allows the attacker to obtain access as a high-privileged internal non-root account. From there, the attacker may gain access to administrative management interfaces, including NETCONF services used for centralized SD-WAN orchestration and configuration management.

Because vdaemon is involved in controller trust relationships and control-plane communications, compromise of the service could permit unauthorized modification of SD-WAN policies, routing behavior, device templates, and broader SD-WAN fabric configurations.

Cisco has confirmed that the vulnerability has been exploited in the wild in limited targeted attacks. Cisco and Rapid7 also noted that CVE-2026-20182 is distinct from the previously disclosed CVE-2026-20127 vulnerability, although both vulnerabilities affect SD-WAN authentication-related functionality.

Mitigation

Cisco has released software updates to address this vulnerability. Organizations should upgrade to a fixed software release as soon as possible.

Administrators should also review access controls, restrict management plane exposure, and monitor systems for unauthorized activity. Restricting access to UDP port 12346 to only trusted SD-WAN peers and management networks may help reduce exposure.

References

• Cisco Security Advisory: cisco-sa-sdwan-rpa2-v69WY2SW
  
• Cisco Security Advisory: cisco-sa-sdwan-rpa-EHchtZk
  
• Rapid7 Technical Analysis: CVE-2026-20182
  
• BleepingComputer Coverage: Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks