CVE-2026-20182: Cisco SD-WAN CVSS 10 Authentication Bypass Exploited in the Wild

The Cisco SD-WAN authentication bypass in CVE-2026-20182 exploits a logic flaw in how the vdaemon service validates trust during the DTLS connection handshake. The vdaemon daemon is responsible for establishing and maintaining peering connections between SD-WAN fabric components — Controllers, Managers, Validators, and Edges. It listens on UDP port 12346 for DTLS-encapsulated peer authentication requests.

During a legitimate peering exchange, the Controller or Manager is expected to verify the cryptographic identity of the requesting peer before granting a trusted session. The flaw (CWE-287: Improper Authentication) exists in how the peering mechanism validates the request. An attacker crafts specific DTLS packets that cause this validation step to fail open, treating the unauthenticated connection as a verified fabric peer. The attacker gains a session equivalent to a high-privileged internal vManage administrator, per the Cisco Security Advisory published at sec.cloudapps.cisco.com.

With that session established, the attacker accesses NETCONF — Cisco SD-WAN's network configuration protocol — and can push arbitrary configuration changes to the entire SD-WAN fabric. In documented UAT-8616 post-compromise activity, Cisco Talos reports attackers inject their own RSA public key into the vmanage-admin authorized_keys file at /home/vmanage-admin/.ssh/authorized_keys, granting persistent SSH access that survives reboots. UAT-8616 also modifies /etc/ssh/sshd_config to set PermitRootLogin to yes. Anti-forensics activity clears syslog, wtmp, lastlog, bash_history, and cli-history files to remove evidence of intrusion.

The related prior flaw, CVE-2026-20127, affected the same vdaemon service and was exploited by UAT-8616 since at least 2023. Rapid7 Labs, which discovered CVE-2026-20182 while researching CVE-2026-20127, confirmed this is a distinct flaw requiring separate patching.

Every Cisco Catalyst SD-WAN deployment running an unpatched version is at risk. Cisco confirmed the vulnerability affects both the Controller component (formerly SD-WAN vSmart) and the Manager component (formerly SD-WAN vManage) across four deployment types: on-premises hardware, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). No deployment type is inherently protected until patched.

Patch versions by release branch, per the Cisco Security Advisory: Release 20.9.x is fixed in 20.9.9.1. Release 20.12.x is fixed in 20.12.5.4, 20.12.6.2, or 20.12.7.1. Releases 20.13.x and 20.14.x are fixed in 20.15.5.2. Release 20.15.x is fixed in 20.15.4.4 or 20.15.5.2. Releases 20.16.x and 20.18.x are fixed in 20.18.2.2. Release 26.1.x is fixed in 26.1.1.1. Releases earlier than 20.9 must migrate to a fixed release branch. Cisco-managed cloud deployments (Cloud-Pro and SD-WAN Cloud) received automatic remediation at release 20.15.506.

CISA added CVE-2026-20182 to the Known Exploited Vulnerabilities catalog on May 14, 2026. Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate all KEV entries by their assigned deadlines. SecurityWeek's reporting frames CVE-2026-20182 as the sixth exploited Cisco SD-WAN zero-day in 2026, a pattern that signals sustained, adaptive targeting of SD-WAN infrastructure rather than isolated incidents.

For teams already tracking SD-WAN attack surface, the Cisco SD-WAN CVE-2026-20133 credential chain attack analysis on Decryption Digest provides broader context on how UAT-8616 and related actors have progressively escalated their access techniques across successive SD-WAN CVEs.

UAT-8616 is a highly sophisticated cyber threat actor tracked by Cisco Talos with high confidence as the primary actor actively exploiting CVE-2026-20182. Talos assesses UAT-8616 at the nation-state level based on its operational security, multi-year persistence on targeted infrastructure, and sustained focus on enterprise SD-WAN control plane access.

UAT-8616 has targeted Cisco SD-WAN infrastructure since at least 2023, first through CVE-2026-20127 — the prior authentication bypass in the same vdaemon service — and now through the new CVE-2026-20182 flaw. Cisco Talos's May 2026 report on SD-WAN ongoing exploitation documents that the actor's infrastructure overlaps with monitored Operational Relay Box (ORB) networks, an anonymization and relay infrastructure pattern consistently associated with nation-state intrusion sets. The Cisco PSIRT confirmed exploitation began as "limited exploitation" in May 2026, consistent with early-stage targeted operations against specific high-value organizations rather than broad opportunistic scanning.

Post-compromise techniques documented by Cisco Talos for UAT-8616 include SSH public key injection into authorized_keys files, enabling PermitRootLogin in the SSH daemon, NETCONF-based SD-WAN fabric configuration access, and anti-forensics cleanup that clears syslog, wtmp, lastlog, bash_history, and cli-history. These patterns indicate an actor prioritizing long-term stealth persistence over disruptive impact — characteristics consistent with espionage operations targeting distributed enterprise and government networks.

UAT-8616's three-year sustained focus on Cisco SD-WAN control plane access, using new CVEs each time prior flaws are patched, demonstrates deliberate investment in maintaining this access vector.

Cisco provides specific detection guidance and post-compromise indicators for CVE-2026-20182. Security teams should perform forensic checks on all Cisco Catalyst SD-WAN Controller and Manager components before upgrading to preserve evidence of potential exploitation. Cisco explicitly recommends running the request admin-tech command from each control component before applying patches.

Log-based detection: Examine /var/log/auth.log on each Controller and Manager for entries containing "Accepted publickey for vmanage-admin from" followed by an IP address not in the documented peer list. Cross-reference every source IP against authorized system IPs configured in the SD-WAN web UI. Cisco Talos reports that UAT-8616 modifies or truncates this log file as part of anti-forensics operations — an absent or abnormally short auth.log is itself a high-fidelity indicator of compromise.

Configuration-based detection: Run show control connections detail or show control connections-history detail on each control component. Flag any peer showing state:up with challenge-ack 0 and a system IP not present in the documented topology. Inspect /home/vmanage-admin/.ssh/authorized_keys against known organizational SSH public keys. Any unrecognized key is a direct IOC. Check /etc/ssh/sshd_config for PermitRootLogin yes — this value is not set by Cisco in any legitimate configuration and indicates attacker modification.

For a parallel detection methodology covering network edge firewall compromise indicators, see the Palo Alto PAN-OS CVE-2026-0300 firewall RCE mitigation guide on Decryption Digest, which covers analogous forensic artifact review processes for perimeter devices.

Cisco has released fixed software for CVE-2026-20182 across all active release branches. No workaround exists. Organizations must upgrade Cisco Catalyst SD-WAN Controller and Manager to a fixed release. Before upgrading, Cisco strongly recommends running request admin-tech from every control component to capture forensic state. If auth.log evidence or unauthorized authorized_keys entries are found, contact Cisco TAC at Severity 3 before completing the upgrade to preserve incident response evidence.

Fixed release versions by branch per the Cisco Security Advisory at sec.cloudapps.cisco.com: 20.9.x upgrades to 20.9.9.1; 20.12.x upgrades to 20.12.5.4, 20.12.6.2, or 20.12.7.1; 20.13.x and 20.14.x upgrade to 20.15.5.2; 20.15.x upgrades to 20.15.4.4 or 20.15.5.2; 20.16.x and 20.18.x upgrade to 20.18.2.2; 26.1.x upgrades to 26.1.1.1. Releases prior to 20.9 require migration to a supported fixed branch. Cisco-managed cloud deployments should confirm automatic remediation has been applied at release 20.15.506. Qualys customers can use QID 317854 to detect vulnerable SD-WAN instances. Cisco published Snort rule IDs 66468-66483 and ClamAV signatures for broader SD-WAN exploitation detection.

The strategic value of Cisco Catalyst SD-WAN Controller compromise exceeds most single-device vulnerabilities by an order of magnitude. The Controller is the central policy engine for the SD-WAN fabric: it determines routing decisions, topology configuration, and path selection for every connected branch office, data center, and cloud edge. An attacker with NETCONF access to the Controller can read and manipulate traffic routing for every site in the organization's SD-WAN deployment simultaneously. This is not a single host compromise — it is control-plane-level access to the entire wide-area network.

UAT-8616's three-year sustained focus on Cisco SD-WAN infrastructure confirms that nation-state actors have specifically prioritized this access path. The actor developed and deployed authentication bypass exploits against the same vdaemon service across two successive CVEs: CVE-2026-20127 since 2023, and now CVE-2026-20182 in May 2026. Organizations that patched prior SD-WAN CVEs and did not establish ongoing monitoring face the same actor on a new entry path.

The broader 2026 exploitation wave documented by Cisco Talos, with 10 distinct threat clusters simultaneously targeting related Cisco SD-WAN vulnerabilities using tools ranging from XMRig cryptocurrency miners to Godzilla and Behinder web backdoors to AdaptixC2 red-team frameworks, confirms that SD-WAN control plane infrastructure has become a primary target class. The CVSS 10.0 score and CISA KEV listing for CVE-2026-20182 reflect a real-world exploitation pattern that has been active for years and shows no sign of stopping with a single patch.

Network segmentation that blocks external access to UDP port 12346 reduces exposure for internet-facing deployments but is not an official workaround and does not protect against attackers already positioned inside trusted network segments.