Cisco Catalyst SD-WAN Controller 0-Day Exploited for Admin Access

A maximum-severity zero-day vulnerability in Cisco’s Catalyst SD-WAN platform is being actively exploited in the wild, giving attackers full administrative control over enterprise networks, with no credentials required.

Tracked as CVE-2026-20182 with a perfect CVSS score of 10.0, the flaw affects Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage).

Cisco’s advisory, published May 14, 2026, confirms that a remote, unauthenticated attacker can bypass authentication entirely and gain high-privileged access to affected systems.

Cisco’s Product Security Incident Response Team (PSIRT) has already confirmed limited active exploitation in the wild.

Cisco SD-WAN 0-Day Exploited

The root cause is an improper authentication flaw (CWE-287) in the control plane’s peering mechanism.

Specifically, the vulnerability lives in the “vdaemon” service, which handles DTLS-based control-plane communications over UDP port 12346.

During the authentication handshake, the service validates peers based on device type, but a logic flaw allows attackers to falsely declare themselves as a “vHub” device, bypassing all certificate verification checks entirely.

Once that happens, the system marks the attacker as authenticated, transitions the malicious peer to an active “UP” state, and opens full control-plane access.

Technical analysis from Rapid7, whose researchers Stephen Fewer and Jonah Burgess discovered the flaw, reveals a precise exploitation chain:

• Establish a fake DTLS session
• Send a crafted CHALLENGE_ACK message
• Inject an SSH public key into the vmanage-admin account’s authorized_keys file
• Log in via NETCONF (TCP port 830) as a privileged user
• Execute arbitrary configuration commands across the entire SD-WAN fabric

This grants attackers the ability to modify routing, manipulate policies, reroute sensitive traffic, and establish persistent backdoor access, all without ever knowing a single password.

The Cisco Catalyst SD-WAN Controller serves as the central control plane for distributed enterprise environments. A compromise here cascades across every connected site.

Cisco confirmed that all deployment types are affected, including Cloud, Cloud-Pro, and FedRAMP environments, making the attack surface unusually wide.

Detection and Indicators of Compromise

Security teams should immediately audit /var/log/auth.log for entries showing “Accepted publickey for vmanage-admin” from unrecognized IP addresses.

Additional red flags include unexpected control-plane peering events, connections from unknown public IPs, and suspicious device types in control connection logs.

The command show control connections detail can help surface anomalies.

There are no available workarounds. Cisco has released fixed software versions and urges immediate upgrades. Before patching, administrators should run request admin-tech to preserve forensic evidence.

Organizations should also restrict internet-facing exposure of SD-WAN controllers and engage Cisco TAC if a compromise is suspected.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Cisco Catalyst SD-WAN Controller 0-Day Exploited for Admin Access appeared first on Cyber Security News.