CVE-2026-20182 is an authentication bypass vulnerability affecting the core vdaemon service within the Cisco Catalyst SD-WAN architecture. The flaw allows an unauthenticated, remote attacker to bypass cryptographic trust verification during the Datagram Transport Layer Security (DTLS) authentication process. By successfully mimicking a specific device type, an attacker can enroll as a fully trusted control-plane peer, enabling comprehensive control over enterprise wide network operations, routing manipulation, and long-term persistence.
Severity: Critical
Vulnerability Profile
- CVE ID: CVE-2026-20182
- CVSS Score: 10.0
- Class: Authentication Bypass / Missing Verification
- Affected Component: vdaemon service; function vbond_proc_challenge_ack()
- Exploit Availability: Public Metasploit auxiliary module exists
Affected Products
All Cisco Catalyst SD-WAN deployment models are affected regardless of configuration, because the flaw is in the core authentication logic:
- Cisco Catalyst SD-WAN Controller (vSmart)
- Cisco Catalyst SD-WAN Manager (vManage)
- Applies to: On-Prem, Cloud-Pro, Cisco-Managed Cloud, and FedRAMP/Government deployments
Attack Flow
- Attacker initiates DTLS handshake to vSmart on UDP/12346 using any self-signed certificate (cert validation failure is logged but does not abort the flow).
- Controller responds with CHALLENGE (msg_type=8, 256 random bytes + TLVs).
- Attacker sends crafted CHALLENGE_ACK (msg_type=9) with device_info upper nibble = 2 (vHub).
- Controller sends CHALLENGE_ACK_ACK (msg_type=10); sets peer->authenticated = 1.
- Attacker sends Hello (msg_type=5) — passes the secondary auth check since the flag is set.
- Peer transitions to state: up — rogue node is now a trusted SD-WAN control-plane peer.
Post-Exploitation Capabilities
Once trusted in the control plane, the attacker can:
- Persistent SSH key injection via MSG_VMANAGE_TO_PEER (msg_type=14), handled by vbond_proc_vmanage_to_peer().
- NETCONF access on TCP/830 via the injected vmanage-admin key, yielding privileged management-plane operations.
- Routing manipulation — inject/modify routes, blackhole or redirect traffic.
- Segmentation changes — alter or bypass policy boundaries.
- Configuration push to managed SD-WAN devices.
- Full SD-WAN fabric compromise — vSmart orchestrates routing, trust, and onboarding enterprise-wide.
vmanage-admin is a high-privilege internal service account used for automation between vManage, vSmart, and vBond, so SSH key injection converts a transient session compromise into persistent, credential-independent privileged access.
Detection Opportunities
Hunt for the following on SD-WAN controllers:
- Unexpected DTLS connections to UDP/12346 from non-inventoried sources.
- Peers transitioning to state: up without legitimate onboarding workflow.
- Anomalous CHALLENGE_ACK activity, especially peers identifying as vHub when the deployment doesn’t use vHubs (or in unexpected quantities/locations).
- New or recently appended entries in /home/vmanage-admin/.ssh/authorized_keys.
- Unknown peer serial numbers in active control-plane peer lists.
- Internal logs showing certificate verification failures that did not abort the session.
Recommendations
- Patch immediately all externally reachable vSmart, vBond, and vManage controllers; treat internet-exposed vulnerable nodes as potentially already compromised.
- Review DTLS/auth logs for the indicators above.
- Rotate trust material if compromise is suspected: SSH keys, certificates, API credentials, controller-to-controller trust.
- Preserve forensics before remediation: controller logs, DTLS captures, memory, configuration snapshots, authorized_keys history.
Source:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- https://www.resecurity.com/blog/article/cve-2026-20182-unauthenticated-cisco-sd-wan-control-plane-compromise-via-vhub-authentication-bypass
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
