CVE-2026-20182: Critical Authentication Bypass in Cisco Catalyst SD-WAN Controller (FIXED)
Rapid7, Thursday, May 14th, 2026
Critical authentication bypass in Cisco Catalyst SD-WAN Controller vdaemon service allows remote unauthenticated attackers to gain privileged access.
Rapid7 Labs discovered CVE-2026-20182, a critical authentication bypass vulnerability (CVSS 10.0) in Cisco Catalyst SD-WAN Controller's vdaemon service over DTLS (UDP port 12346). The vulnerability stems from improper device-type verification in the CHALLENGE_ACK message processing, where vHub device types skip certificate verification entirely.
Remote unauthenticated attackers can exploit this to become authenticated peers, inject SSH keys into the vmanage-admin account, and execute arbitrary NETCONF commands. This is a separate issue from the previously discovered CVE-2026-20127, affecting the same service component but representing a distinct authentication bypass mechanism.