Cisco has disclosed a maximum-severity authentication bypass in its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager products, tracked as CVE-2026-20182 and rated CVSS 10.0. The flaw allows an unauthenticated remote attacker to log in as an internal high-privileged account and seize control of the entire SD-WAN fabric. Cisco confirmed limited exploitation in the wild in May 2026, and the US Cybersecurity and Infrastructure Security Agency moved swiftly to add the vulnerability to its Known Exploited Vulnerabilities catalogue. Federal civilian agencies were ordered to patch by 17 May 2026.
The threat actor behind the activity, tracked by Cisco Talos as UAT-8616, has previously exploited a near-identical bug in the same product line. Independent researchers at Rapid7 have also assessed as critical given the unauthenticated nature of the flaw and the privilege level it confers.
The vulnerability sits in the peering authentication mechanism of the vdaemon service, which listens on UDP port 12346 over DTLS. By sending specially crafted requests to this service, an attacker can bypass authentication entirely and obtain access as an internal, non-root but high-privileged user account that exists for internal peering between Catalyst SD-WAN components.
From that foothold, the attacker reaches the NETCONF interface. NETCONF is the configuration protocol used to push and pull state across the SD-WAN fabric, so access at this level is effectively access to the brain of the network. An attacker can alter routing, redefine policies, push device configurations, and reshape how branch sites communicate with one another and with the wider internet.
Two design choices in the affected products make this issue particularly serious. The first is that vdaemon listens on UDP port 12346 to handle peering traffic between Catalyst SD-WAN components, meaning any Catalyst SD-WAN Controller or Manager reachable on that port is a candidate target. The second is that the bypass grants access as an internal high-privileged account used for component-to-component peering, which gives the attacker a stable platform to pivot from.
Cisco Talos has attributed the exploitation activity to UAT-8616, a group it describes as a highly sophisticated cyber threat actor. The same group previously exploited CVE-2026-20127, an earlier authentication weakness in the Catalyst SD-WAN Controller, which suggests sustained research interest in this product family rather than opportunistic scanning.
Once inside, UAT-8616 has been observed attempting several actions in sequence. Operators tried to add SSH keys to the compromised systems, giving themselves a persistent way back in even if the original bypass were patched. They modified NETCONF configurations, which in an SD-WAN environment can translate directly into changes at every connected branch device. They also attempted to escalate from the internal high-privileged account to root, which would hand them complete control over the underlying operating system rather than just the application layer.
Talos noted that the infrastructure used in these intrusions overlaps with Operational Relay Box networks it has been tracking. ORB networks are clusters of compromised or rented devices, often small office routers or virtual private servers, that threat actors use to obscure the true origin of their traffic. The presence of ORB infrastructure points to an actor that invests in operational security and expects to be hunted.
So far, exploitation of CVE-2026-20182 by UAT-8616 appears limited compared with the broader campaign the group ran against CVE-2026-20127. That may reflect the fresher patch cycle, narrower targeting, or simply that defenders began watching for the activity earlier this time. Limited exploitation is not the same as low risk, however, and the maximum CVSS rating reflects what a successful attack would mean rather than how many attacks have occurred to date.
The vulnerability affects both on-premises and Cisco-managed deployments. That includes traditional On-Prem installations, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud where Cisco itself operates the controller, and Cisco SD-WAN for Government, the FedRAMP-authorised offering used by US federal customers.
The affected version ranges, as published in Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW, are extensive. All 20.9.x releases and earlier are affected with no fix available in those branches. In the 20.10 to 20.12 family, customers need to be on 20.12.5.4, 20.12.6.2 or 20.12.7.1 or later. Releases from 20.13.x through 20.15.x require 20.15.5.2 or later. The 20.16.x and 20.18.x branches need to be on 20.18.2.2 or later. The newer 26.1.x branch requires 26.1.1.1 or later.
The same advisory addresses three further flaws in the Catalyst SD-WAN product line, tracked as CVE-2026-20209, CVE-2026-20210 and CVE-2026-20224. Although Cisco has not described these as actively exploited, they ship in the same patch bundle and should be treated as part of the same remediation effort.
Patching is the only effective remediation. Cisco has not offered a workaround, because the vulnerable code path is part of the standard peering authentication flow used by Controller and Manager to authenticate each other and federate state. Disabling it would break the product.
Operators of Cisco-managed cloud variants will receive updates through Cisco itself, but customers running On-Prem or Cloud-Pro deployments must plan and execute the upgrade themselves. For organisations subject to CISA's Binding Operational Directive 22-01, the 17 May 2026 deadline applies regardless of change-management calendars.
Beyond patching, defenders should review their Controllers and Managers for the specific indicators of compromise reported by Talos in connection with UAT-8616. That means auditing authorised SSH keys on the appliances, looking for unexpected NETCONF configuration changes against a known-good baseline, and checking for any privilege escalation attempts in system logs. Network telemetry should be examined for inbound DTLS traffic to UDP 12346 from unexpected sources, as the management plane of an SD-WAN fabric should never be exposed to arbitrary internet peers.
Given UAT-8616's repeated focus on this product family, organisations running Catalyst SD-WAN should assume the group will return when the next suitable flaw appears. Treating the management plane as a high-value attack surface, segmenting it accordingly, and monitoring it as closely as any domain controller is a sensible response to a pattern that now spans at least two critical CVEs.
A successful attacker can log in as an internal high-privileged account, access the NETCONF interface to alter routing and policies across the SD-WAN fabric, add SSH keys for persistent access, and attempt root-level privilege escalation. Each of these behaviours has been observed in UAT-8616 intrusions reported by Cisco Talos.
Yes. The vulnerability affects On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Cisco pushes updates for managed instances, but On-Prem and Cloud-Pro customers must plan and apply the patches themselves.
Cisco has not published a workaround. The vulnerable code path is integral to the peering authentication flow and cannot be disabled without breaking the product. Network segmentation that limits access to UDP port 12346 to authorised peers only reduces the exposed surface while patching is planned, but it is not a substitute for applying the fixed releases.
