Emerging Threats

Cisco SD-WAN Flaw Actively Exploited for Admin Access

Analyst 207||Source: TheHackerNews
Cisco SD-WAN device sits prominently in a well-lit network operations setting.

"A vulnerability in the peering authentication in Cisco Catalyst SD‑WAN Controller... could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system," Cisco warned.

Cisco advisory, the flaw and who is affected

Cisco released updates in May 2026 to address a maximum‑severity authentication bypass tracked as CVE‑2026‑20182, which the company assigned a CVSS score of 10.0. The vendor said it became aware of "limited exploitation" of the flaw in May 2026 and urged customers to apply the latest updates as soon as possible. Cisco identified the vulnerability as a malfunction in the peering authentication mechanism of the Catalyst SD‑WAN Controller (formerly SD‑WAN vSmart) and Cisco Catalyst SD‑WAN Manager (formerly SD‑WAN vManage).

Cisco listed the following deployments as impacted: On‑Prem Deployment; Cisco SD‑WAN Cloud‑Pro; Cisco SD‑WAN Cloud (Cisco Managed); and Cisco SD‑WAN for Government (FedRAMP). The company also said systems that are accessible over the internet with exposed ports are at increased risk of compromise.

How an attacker can abuse the controller

According to Cisco, an attacker can exploit the peering authentication malfunction by sending crafted requests to an affected system. A successful exploit can allow a remote, unauthenticated attacker to log in to the Catalyst SD‑WAN Controller as an internal, high‑privileged, non‑root user account. From there, the attacker could use that account to access NETCONF and manipulate network configuration for the SD‑WAN fabric.

What Rapid7 found and the link to a prior bug

Rapid7, the researcher credited with discovering CVE‑2026‑20182, said the new shortcoming echoes an earlier critical authentication bypass, CVE‑2026‑20127, which also carried a CVSS score of 10.0. Rapid7 researchers Jonah Burgess and Stephen Fewer noted the new vulnerability affects the "vdaemon" service over DTLS (UDP port 12346) — the same service that was vulnerable to CVE‑2026‑20127.

The researchers made a careful distinction: the new vulnerability is not a patch bypass of CVE‑2026‑20127 but is a different issue located in a similar part of the "vdaemon" networking stack. Rapid7 warned that the end result is functionally equivalent: a remote unauthenticated attacker can become an authenticated peer of the target appliance and carry out privileged operations. Rapid7 also reported that CVE‑2026‑20127 had been exploited by a threat actor identified as UAT‑8616 since at least 2023.

What this means for technologists, procurement leaders, and network defenders

  • Technologists and security teams: Apply the Cisco updates immediately where they manage Catalyst SD‑WAN Controller systems, particularly for installations reachable from the internet or with exposed ports.
  • Procurement and IT operations: Note that the vulnerability affects multiple deployment models — on‑prem and several Cisco SD‑WAN cloud offerings, including a FedRAMP‑authorized option — and coordinate patching and change windows across those environments.
  • Network defenders and SOC analysts: Audit the controller's logs for concrete indicators of abuse called out by Cisco: entries in /var/log/auth.log tied to "Accepted publickey for vmanage‑admin" from unknown or unauthorized IP addresses, and suspicious peering events such as unauthorized peer connections at unexpected times, from unrecognized IP addresses, or involving device types inconsistent with the environment.

Detection and mitigation actions Cisco recommends

Cisco's advisory centers on two immediate actions: install the vendor's security updates and review logs for signs of compromise. The company specifically recommends auditing /var/log/auth.log for entries related to "Accepted publickey for vmanage‑admin" that originate from unknown or unauthorized IP addresses. It also calls attention to suspicious peering events in the logs — unauthorized peer connections occurring at unexpected times or from unrecognized IPs, or connections involving device types that do not fit the environment's architecture.

The combination of a maximum‑severity rating, demonstrated limited exploitation in May 2026, and prior exploitation of a related vdaemon flaw by UAT‑8616 since at least 2023 elevates the urgency laid out in Cisco's advisory: apply updates promptly and look for the specific log artifacts the vendor named.

For now, affected organizations have a clear, actionable checklist from Cisco and Rapid7: patch, restrict internet exposure where feasible, and search the named log locations and events for indicators of unauthorized peering or credential use. Whether the limited exploitation observed in May 2026 expands beyond the incidents Cisco reported will be the critical fact to watch in the days ahead.

Source: https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

Authentication BypassCiscoEmerging ThreatsNetwork SecurityVulnerability ManagementSD-WANCVE-2026-20182Admin Access
Related Intelligence

Continue Reading

Technicians surround a prominent server terminal with a blurred screen in a brightly-lit Japanese data center.

KDDI Data Breach Compromises 14.2 Million Email Logins at Six ISPs

A massive data breach at KDDI Corporation has put 14.2 million email logins at risk, compromising sensitive information for customers across six Japanese internet service providers. The breach, discovered on June 17, exploited a vulnerability in a third-party software component used on one of KDDI's email systems.

Analyst 207
Person sitting in quiet room, holding smartphone with concern, surrounded by papers and laptop.

Russia Targets Messaging Credentials with Fake Support Texts

Beware of fake support texts that could compromise your personal data and sensitive information! A joint investigation by the Security Service of Ukraine and the FBI uncovered a systematic campaign to steal messaging platform credentials from government officials, military personnel, and activists worldwide.

Analyst 207
Developer workstation with laptop open to GitHub repository, surrounded by coding tools and notes on cluttered desk.

GitHub Repos Used to Deploy Malware via AI Coding Tools

Imagine a GitHub repository that looks perfectly safe, yet can secretly deploy malware on a developer's device - all without triggering any red flags. Researchers have demonstrated just how easily this can happen, using an AI coding agent to run a malicious payload hidden in a seemingly clean project.

Analyst 207
Person sits in quiet room with smartphone, papers, and blurred laptop screen, conveying cautious atmosphere.

FBI Warns of Russian Hackers Targeting Signal Backup Keys

Stay vigilant, as Russian hackers are now targeting Signal backup keys in an evolved phishing campaign, attempting to gain access to your historical message backups by tricking you into revealing these sensitive keys. Be cautious of messages masquerading as automated support accounts, as they may be part of this sinister plot.

Analyst 207