Cisco has confirmed limited active exploitation of CVE-2026-20182, a maximum-severity authentication bypass in its Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). The flaw carries a CVSS score of 10.0 and lets an unauthenticated remote attacker bypass peering authentication entirely, then operate the controller with administrative privileges. The Hacker News broke the advisory on May 14, attributing discovery to Rapid7 researchers Jonah Burgess and Stephen Fewer.
How the bypass works
The vulnerability is in the controller’s vdaemon service, which terminates the DTLS-over-UDP peering channel used to authenticate other SD-WAN nodes. By sending crafted requests to UDP port 12346, an attacker can register as an authenticated peer without presenting valid credentials. Per the Hacker News, that authenticated-peer state is sufficient to access NETCONF and push configuration changes across the SD-WAN fabric — effectively giving the attacker control plane authority over the customer’s WAN topology, routing, and access policy.
Affected deployments span the full Cisco SD-WAN catalog: on-prem, SD-WAN Cloud-Pro, Cisco-managed Cloud, and the FedRAMP “SD-WAN for Government” tier. Cisco has shipped fixed releases for supported branches and is directing customers to apply them immediately.
A repeat offender component
This is the second 10.0-rated bypass in the same vdaemon service in three years. The earlier CVE-2026-20127 — also CVSS 10.0 — has been exploited in the wild since at least 2023 by the threat actor Cisco tracks as UAT-8616. Rapid7 characterizes the new CVE as a distinct authentication issue rather than a regression of the prior fix, but the recurrence is hard to ignore: the same code path that mediates inter-controller trust has now produced two unauthenticated-RCE-equivalents.
For exposed controllers — particularly any on-prem deployment with UDP 12346 reachable from the internet — Cisco directs operators to audit /var/log/auth.log for unexpected Accepted publickey for vmanage-admin entries from unfamiliar IPs, and to watch for peering events from device types that are not part of the known fleet. Those are post-exploitation tells; there is no pre-auth signature to filter on the wire.
What this means
Operators running SD-WAN controllers should treat this as a priority-zero patch, not the usual Cisco advisory cadence. The combination of an unauthenticated, network-reachable bypass, confirmed in-the-wild use, and a control plane that mediates wide-area routing means a compromise here doesn’t stop at the controller — it gives an attacker a stable position from which to reshape the customer’s network. For teams that have legitimate reasons to keep UDP 12346 internet-reachable, an IP allowlist at the network edge is the only stop-gap; the bypass itself does not respect any in-application access control. CISA’s Known Exploited Vulnerabilities catalog will almost certainly absorb this CVE in the coming days, and federal civilian agencies should expect a tight remediation deadline to follow.