Critical Authentication Bypass Zero‑Day in Cisco Catalyst SD‑WAN (CVE‑2026‑20182) Threatens Enterprise Networks
What It Is — Cisco disclosed a zero‑day authentication bypass (CVE‑2026‑20182) affecting the Catalyst SD‑WAN Controller and Manager. The flaw resides in the “vdaemon” DTLS service and allows an unauthenticated remote attacker to become an authenticated peer, inject a malicious SSH key, and issue arbitrary NETCONF commands.
Exploitability — Actively exploited in the wild by a sophisticated threat actor (group “UAT‑8616”). No public PoC is required; crafted network packets are sufficient. CVSS v3.1 score is 9.8 (Critical).
Affected Products — Cisco Catalyst SD‑WAN Controller (on‑prem and cloud) and Cisco Catalyst SD‑WAN Manager (management plane).
TPRM Impact —
- Unauthorized re‑configuration of WAN fabric can expose data in transit and disrupt critical business applications.
- Compromise of a core networking component creates a supply‑chain foothold that can be leveraged against downstream SaaS, cloud services, and partner ecosystems.
- Potential escalation to root via legacy CVE‑2022‑20775 amplifies the risk to the entire enterprise network.
Recommended Actions —
- Deploy Cisco’s emergency patch for CVE‑2026‑20182 immediately on all SD‑WAN Controllers and Managers.
- Verify firmware versions across the SD‑WAN fleet; enforce a version‑control baseline.
- Rotate and audit all
vmanage‑adminSSH keys; remove any unauthorized entries. - Enable strict monitoring on DTLS port 12346 and NETCONF port 830 for anomalous traffic or login attempts.
- Conduct a focused log review for signs of configuration changes or privilege‑escalation activity.
- If compromise is suspected, isolate affected devices, capture forensic images, and engage Cisco Incident Response.
Source: Help Net Security