Skip to main content

Cisco Catalyst SD-WAN CVE-2026-20182

| EUVDEUVD-2026-30324 CRITICAL
Improper Authentication (CWE-287)
2026-05-14 cisco GHSA-p83j-mxpw-gqpj
10.0
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Added to CISA KEV
May 14, 2026 - 17:47 CISA
Analysis Generated
May 14, 2026 - 17:31 vuln.today
CVE Published
May 14, 2026 - 16:08 nvd
CRITICAL 10.0

DescriptionCVE.org

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. 

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

AnalysisAI

Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.

Technical ContextAI

Cisco Catalyst SD-WAN uses a control plane architecture where vSmart controllers and vManage management platforms establish authenticated peering connections to orchestrate the SD-WAN fabric. The vulnerability (CWE-287: Improper Authentication) affects the peering authentication mechanism that validates these control connections. The affected products are Cisco Catalyst SD-WAN Manager (formerly vManage) and SD-WAN Controller (formerly vSmart), which handle centralized policy distribution, configuration management, and overlay management protocol (OMP) route exchange. When peering authentication fails to properly validate connection requests, attackers can establish control connections and access NETCONF (Network Configuration Protocol), an XML-based network management protocol running over SSH that provides programmatic access to device configuration. The scope change (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component itself - in this case, the entire SD-WAN fabric managed by the compromised controller.

RemediationAI

Apply the vendor-released patches detailed in Cisco Security Advisory cisco-sa-sdwan-rpa2-v69WY2SW available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW, which provides specific fixed software versions for affected SD-WAN Controller and Manager releases. Organizations should also review the related February 2026 advisory cisco-sa-sdwan-rpa-EHchtZk at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk to ensure both vulnerabilities are addressed. Cisco's advisory includes 'Show Control Connections' guidance that enables administrators to audit existing control plane connections for unauthorized peers - run these verification commands immediately to detect potential compromise before patching. As an interim mitigation where patching is delayed, implement strict IP-based access control lists limiting control connection sources to only known legitimate SD-WAN devices and management workstations, though this does not prevent attacks from compromised branch devices that already have legitimate network access to controllers. Network segmentation isolating SD-WAN management infrastructure from general corporate networks reduces attack surface but cannot fully mitigate given the vulnerability affects legitimate control plane communications. Do not expose vSmart or vManage interfaces to the internet under any circumstances.

Share

CVE-2026-20182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy