Cisco Catalyst SD‑WAN Controller 0‑Day Actively Exploited

May 15, 2026 Faeem BLOGS 0

Overview A maximum‑severity zero‑day vulnerability in Cisco Catalyst SD‑WAN Controller is being actively exploited, enabling unauthenticated attackers to bypass authentication and gain administrative control of enterprise network infrastructure. Tracked as CVE‑2026‑20182 with a CVSS score of 10.0, the flaw impacts on‑premises, cloud, and government SD‑WAN deployments.

Technical Details

  • Service Affected: vdaemon over DTLS UDP/12346.
  • Root Cause: Logic gap in vbond_proc_challenge_ack() function.
    • Device types vSmart (3), vManage (5), vEdge (1) are validated.
    • Device type vHub (2) bypasses all certificate checks.
  • Exploit Chain:
    1. DTLS handshake with any self‑signed certificate.
    2. Send CHALLENGE_ACK claiming vHub type.
    3. Authentication flag set to true.
    4. Peer transitions to UP state as trusted node.
  • Persistence:
    • Exploits vbond_proc_vmanage_to_peer() to append attacker SSH keys to /home/vmanage-admin/.ssh/authorized_keys.
    • Grants persistent, credential‑independent SSH access to NETCONF service (TCP/830).

Exploitation in the Wild

  • Active Exploitation confirmed by Cisco PSIRT in May 2026.
  • Metasploit Module: Public release scheduled for May 27, 2026.
  • Impact: Arbitrary NETCONF commands to read/manipulate configurations across the SD‑WAN fabric.

Indicators of Compromise (IoCs)

IOC TypeValue / Description
Log File/var/log/auth.log
Suspicious EntryAccepted publickey for vmanage-admin from unknown IP
Injected File/home/vmanage-admin/.ssh/authorized_keys
Suspicious PortsUDP/12346 (DTLS vdaemon), TCP/830 (NETCONF SSH)
CVECVE‑2026‑20182
CWECWE‑287: Improper Authentication

Mitigation

  • No Workarounds: Patching is the only remediation.
  • Forensics: Run request admin-tech before upgrading to preserve evidence.
  • Fixed Releases:
    • 20.12 branch → 20.12.5.4 / 20.12.6.2 / 20.12.7.1
    • 20.15 branch → 20.15.4.4 / 20.15.5.2
    • 20.18 branch → 20.18.2.2
    • 26.1 branch → 26.1.1.1
  • Unsupported Versions: Releases earlier than 20.9, plus 20.10, 20.11, 20.13, 20.14, and 20.16 must migrate to supported fixed releases.

Final Thought

CVE‑2026‑20182 is a stark reminder that control‑plane authentication flaws can instantly compromise entire SD‑WAN fabrics. With exploitation already observed, organizations must patch immediately, audit logs for unauthorized SSH keys, and monitor control connections for suspicious challenge‑ack anomalies.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.