Zero‑Day in Cisco Catalyst SD‑WAN Controller (CVE‑2026‑20182) Enables Unauthenticated Admin Access
What Happened – A critical zero‑day (CVE‑2026‑20182, CVSS 10.0) in the Cisco Catalyst SD‑WAN Controller’s vdaemon peering service is being actively exploited. The flaw bypasses authentication, granting attackers full administrative control over the SD‑WAN overlay, including the ability to add SSH keys, modify NETCONF settings, and elevate to root.
Why It Matters for TPRM –
- The vulnerability targets a core networking component used by thousands of third‑party vendors and their customers, creating a direct supply‑chain risk.
- Unauthenticated admin access can be leveraged to pivot into downstream environments, exposing data and disrupting critical services.
- Active exploitation confirmed by CISA and Rapid7 means the threat is immediate, not theoretical.
Who Is Affected – Enterprises that rely on Cisco Catalyst SD‑WAN (formerly vManage) across sectors such as technology SaaS, telecommunications, energy & utilities, and government.
Recommended Actions –
- Verify inventory of Cisco SD‑WAN controllers and confirm version exposure.
- Apply Cisco’s emergency patch or upgrade to the latest fixed release immediately.
- Block UDP 12346 (vdaemon control‑plane port) at the perimeter until patched.
- Conduct a rapid risk assessment of any network segments that may have been re‑routed through compromised SD‑WAN devices.
- Review third‑party contracts for clauses requiring timely remediation of critical vulnerabilities.
Technical Notes – The exploit abuses a broken peering authentication mechanism in the vdaemon service, allowing manipulation of the Overlay Management Protocol (OMP) traffic that carries routing, TLOC tables, and peer state. Exploitation grants unauthenticated admin rights, enabling SSH key injection, NETCONF configuration changes, and root escalation. Multiple related CVEs (CVE‑2026‑20133, CVE‑2026‑20128, CVE‑2026‑20122) are also being leveraged in the wild. Source: DataBreachToday