Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (cisco).
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Articles & Coverage 2
AnalysisAI
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.
Technical ContextAI
Cisco Catalyst SD-WAN uses a control plane architecture where vSmart controllers and vManage management platforms establish authenticated peering connections to orchestrate the SD-WAN fabric. The vulnerability (CWE-287: Improper Authentication) affects the peering authentication mechanism that validates these control connections. The affected products are Cisco Catalyst SD-WAN Manager (formerly vManage) and SD-WAN Controller (formerly vSmart), which handle centralized policy distribution, configuration management, and overlay management protocol (OMP) route exchange. When peering authentication fails to properly validate connection requests, attackers can establish control connections and access NETCONF (Network Configuration Protocol), an XML-based network management protocol running over SSH that provides programmatic access to device configuration. The scope change (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component itself - in this case, the entire SD-WAN fabric managed by the compromised controller.
RemediationAI
Apply the vendor-released patches detailed in Cisco Security Advisory cisco-sa-sdwan-rpa2-v69WY2SW available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW, which provides specific fixed software versions for affected SD-WAN Controller and Manager releases. Organizations should also review the related February 2026 advisory cisco-sa-sdwan-rpa-EHchtZk at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk to ensure both vulnerabilities are addressed. Cisco's advisory includes 'Show Control Connections' guidance that enables administrators to audit existing control plane connections for unauthorized peers - run these verification commands immediately to detect potential compromise before patching. As an interim mitigation where patching is delayed, implement strict IP-based access control lists limiting control connection sources to only known legitimate SD-WAN devices and management workstations, though this does not prevent attacks from compromised branch devices that already have legitimate network access to controllers. Network segmentation isolating SD-WAN management infrastructure from general corporate networks reduces attack surface but cannot fully mitigate given the vulnerability affects legitimate control plane communications. Do not expose vSmart or vManage interfaces to the internet under any circumstances.
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticat
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that require
Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templat
Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate p
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30324
GHSA-p83j-mxpw-gqpj