Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Cisco Systems is urgently warning customers about a critical zero-day vulnerability tracked as CVE-2026-20182 in its Cisco Catalyst SD-WAN platform that has been actively exploited by sophisticated threat actors to gain unauthorized root access to vulnerable systems. First observed in May 2026, the CVE-2026-20182 vulnerability affects Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) products deployed across enterprise SD-WAN environments worldwide.
The CVE-2026-20182 authentication bypass vulnerability stems from a broken authentication path in the platform’s DTLS peering mechanism, allowing threat actors to impersonate trusted devices and silently bypass certificate verification during the DTLS handshake process. The CVE-2026-20182 vulnerability was actively exploited by UAT-8616, a sophisticated threat actor with documented history of targeting SD-WAN infrastructure since at least 2023 and known associations with Operational Relay Box (ORB) infrastructure used to conceal malicious operations.
The CVE-2026-20182 exploitation requires minimal technical complexity, with attackers needing little more than a crafted DTLS handshake and a self-signed certificate to bypass authentication controls and gain root-level access to Cisco Catalyst SD-WAN controllers. The CVE-2026-20182 vulnerability affects all vulnerable Cisco Catalyst SD-WAN deployments regardless of configuration, including on-premises environments, Cisco SD-WAN Cloud-Pro, Cisco Managed SD-WAN Cloud, and FedRAMP-based government deployments, posing serious risk to enterprise and government SD-WAN infrastructure worldwide.
Cisco Systems is warning that CVE-2026-20182, a critical authentication bypass vulnerability in its Cisco Catalyst SD-WAN Controller platform, has been actively exploited as a zero-day, allowing attackers to obtain root privileges on vulnerable Cisco SD-WAN devices without valid credentials. The CVE-2026-20182 vulnerability affects the same vdaemon service over DTLS on UDP port 12346 that was vulnerable to CVE-2026-20127, but CVE-2026-20182 is not a patch bypass of that earlier flaw; rather, it represents a different vulnerability located in a similar part of the vdaemon networking stack.
CVE-2026-20182 impacts the peering authentication mechanism within the vdaemon service used by both Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager products. The CVE-2026-20182 vulnerability stems from missing verification logic inside the vbond_proc_challenge_ack() function, which handles CHALLENGE_ACK messages exchanged during the multi-stage DTLS authentication handshake. While the vbond_proc_challenge_ack() function properly validates certificates for vSmart (type 3), vManage (type 5), and vEdge (type 1) devices, it fails to perform any authentication checks for the vHub device type (type 2). As a result of the CVE-2026-20182 flaw, if a connecting peer identifies itself as a vHub device, the authentication request bypasses all validation routines and the peer is automatically marked as authenticated without certificate verification.
The CVE-2026-20182 attack can be carried out over the DTLS-over-UDP control-plane peering service running on UDP port 12346, which is used for communication between Cisco SD-WAN controllers and edge devices. Exploitation of CVE-2026-20182 is relatively simple: an attacker initiates a DTLS handshake using any self-signed certificate, receives a CHALLENGE message from the target Cisco SD-WAN system, and responds with a crafted CHALLENGE_ACK packet where the device_type field is set to 2 (vHub). Because the vulnerable code path in CVE-2026-20182 skips certificate verification for the vHub device type, authentication succeeds automatically without any credential validation.
After successful CVE-2026-20182 exploitation, the attacker can send a Hello message to move the DTLS session into an active “UP” state, establishing full authenticated access to the Cisco SD-WAN controller. The CVE-2026-20182 attack does not require valid credentials, trusted certificates, or prior knowledge of the target SD-WAN environment configuration. Cisco also noted that the pre-authentication logic in vbond_proc_msg() intentionally allows unauthenticated CHALLENGE_ACK messages to complete the handshake, which inadvertently enables CVE-2026-20182 exploitation by allowing the authentication bypass to occur before proper certificate validation.
The CVE-2026-20182 vulnerability affects all vulnerable Cisco Catalyst SD-WAN deployments regardless of configuration, including on-premises environments, Cisco SD-WAN Cloud-Pro, Cisco Managed SD-WAN Cloud, and FedRAMP-based government deployments running unpatched software versions. Cisco has released fixes for CVE-2026-20182 across multiple supported software branches, including versions 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, and 26.1.1.1.
Older Cisco Catalyst SD-WAN releases such as 20.10, 20.11, 20.13, 20.14, and 20.16 are now end of maintenance and do not have CVE-2026-20182 patches available, meaning customers running these unsupported versions are urged to migrate to supported patched versions immediately to remediate the CVE-2026-20182 authentication bypass vulnerability.
Cisco Systems confirmed that CVE-2026-20182 was actively exploited in May 2026, with the attack activity involving UAT-8616, a sophisticated threat actor that has targeted SD-WAN infrastructure since at least 2023. Security researchers also observed overlaps between UAT-8616’s attack infrastructure and Operational Relay Box (ORB) networks, which are commonly used by advanced threat actors to conceal malicious operations and route attacker traffic through compromised devices to evade detection.
The CVE-2026-20182 disclosure comes shortly after proof-of-concept exploit code for related Cisco SD-WAN vulnerability chains including CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 became publicly available in March 2026. Following the release of those proof-of-concept exploits, security researchers tracked at least ten separate threat clusters abusing unpatched Cisco SD-WAN Manager systems to deploy webshells, backdoors, red-team frameworks, credential stealers, and cryptominers, demonstrating widespread threat actor interest in exploiting Cisco SD-WAN vulnerabilities.
Upgrade all Cisco Catalyst SD-WAN Controller and Manager deployments to the fixed software releases without delay to remediate CVE-2026-20182. The specific fixed release depends on the current software branch: 20.9.9.1 for the 20.9 branch, 20.12.5.4, 20.12.6.2, or 20.12.7.1 for the 20.12 branch, 20.15.4.4 or 20.15.5.2 for the 20.15 branch, 20.18.2.2 for the 20.18 branch, and 26.1.1.1 for the 26.1.1 branch. Cisco SD-WAN installations running end-of-maintenance releases including 20.10, 20.11, 20.13, 20.14, 20.16, or earlier than 20.9 must be migrated to a supported fixed release. There are no workarounds available for the CVE-2026-20182 vulnerability.
Audit the /var/log/auth.log file on all Cisco SD-WAN controllers for entries showing “Accepted publickey for vmanage-admin” from unknown or unauthorized IP addresses, which is a primary indicator of compromise via CVE-2026-20182 exploitation. Additionally, run the commands “show control connections detail” and “show control connections-history detail” and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peer connections established through CVE-2026-20182 exploitation. Flag any peering events that occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the SD-WAN environment’s architecture. Check for the presence of unauthorized files such as /cmd.gz/cmd.jsp or suspicious JSP files in deployment directories that could indicate post-exploitation activity.
Prevent unauthorized access to the vdaemon DTLS control-plane port (UDP 12346) and the NETCONF service (TCP port 830) from untrusted networks, especially the internet, to reduce CVE-2026-20182 attack surface. Place Cisco SD-WAN control components behind filtering devices such as firewalls and restrict traffic to known, trusted management hosts only. Disable HTTP for the Cisco SD-WAN Manager web UI administrator portal and disable any network services that are not operationally required to minimize potential attack vectors beyond CVE-2026-20182.
Change the default administrator password to a strong variant and restrict access to the administrator account by creating user accounts based on necessary access requirements. Create operator accounts for all administrators to implement principle of least privilege. Use SSL/TLS with certificates from a certificate authority (CA) or create properly validated self-signed certificates. Implement logging to an external server and retain logs for a sufficient duration to support post-incident investigations of CVE-2026-20182 exploitation attempts. Review and implement the guidance in the Cisco Catalyst SD-WAN Hardening Guide to strengthen overall SD-WAN security posture.
Initial Access: T1190 (Exploit Public-Facing Application)
Execution: T1059 (Command and Scripting Interpreter)
Persistence: T1098.004 (SSH Authorized Keys)
Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
Resource Development: T1588.006 (Vulnerabilities)
Cisco Security Advisory – CVE-2026-20182 Authentication Bypass Vulnerability
Rapid7 – CVE-2026-20182 Critical Authentication Bypass Cisco Catalyst SD-WAN Controller Fixed
HivePro – CVE-2026-20127 UAT-8616 Exploiting Cisco Catalyst SD-WAN Zero-Day
Get through updates and upcoming events, and more directly in your inbox