Cisco Warns of Actively Exploited Zero-Day in Catalyst SD-WAN (CVE-2026-20182)
Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack
CVE Identifiers
Full Report
Executive Summary
Cisco has disclosed a critical, maximum-severity authentication bypass vulnerability, CVE-2026-20182, affecting its Catalyst SD-WAN Controller and Manager platforms. The flaw, which scores a 10.0 on the CVSS scale, allows a remote, unauthenticated attacker to gain administrative privileges. Cisco has confirmed that this vulnerability is being actively exploited as a zero-day in limited, targeted attacks by a threat actor it tracks as UAT-8616. Due to the severity and active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to the Known Exploited Vulnerabilities (KEV) catalog, requiring immediate remediation by federal agencies. Organizations using the affected products are urged to apply the provided software updates without delay.
Vulnerability Details
The vulnerability exists in the peering authentication mechanism of the control connection handshake within the vdaemon service. According to Cisco's advisory, the authentication process does not function correctly, enabling an attacker to exploit the flaw by sending crafted requests to the Datagram Transport Layer Security (DTLS) service, which typically runs on UDP port 12346.
Successful exploitation allows an attacker to bypass authentication and become a trusted peer of the target appliance. This grants the attacker the ability to log in as a high-privileged, non-root internal user. From this position, the attacker can access the Network Configuration Protocol (NETCONF) to manipulate the network configuration for the entire SD-WAN fabric. This effectively gives the attacker complete control over the network, allowing them to intercept, redirect, or drop traffic at will. The flaw affects all deployment types, including on-premises, cloud-hosted, and government-specific instances.
Technical Analysis
The attack chain observed in the wild involves the threat actor UAT-8616 exploiting CVE-2026-20182 to gain initial access. Once authenticated as a peer, the attacker's primary objective is to establish persistent access. This is achieved by leveraging their privileged access to NETCONF to inject an attacker-controlled public SSH key into the vmanage-admin user account's authorized_keys file. This TTP falls under T1098.004 - SSH Authorized Keys.
This grants the threat actor persistent, credential-independent access to the SD-WAN manager, enabling further malicious activities. Post-compromise actions include attempts to escalate privileges to root (T1068 - Exploitation for Privilege Escalation) and further manipulation of network configurations (T1482 - Domain Trust Discovery). Cisco notes that UAT-8616 is the same sophisticated group that previously exploited a similar vulnerability, CVE-2026-20127, indicating a persistent and skilled adversary focused on Cisco's SD-WAN infrastructure.
MITRE ATT&CK Techniques Observed
T1190T1098.004T1068T1078T1482Affected Systems
The vulnerability impacts all deployment types of Cisco Catalyst SD-WAN products. According to Cisco, this includes:
- Cisco Catalyst SD-WAN Controller (On-premises)
- Cisco Catalyst SD-WAN Manager (On-premises)
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
Affected software releases include:
- All releases earlier than
20.9 - Releases
20.9through20.18 - Release
26.1
Impact Assessment
A successful exploit of CVE-2026-20182 is catastrophic. Gaining administrative control over the SD-WAN fabric allows an attacker to control the entire network of a distributed organization. Potential impacts include:
- Data Interception: Attackers can redirect traffic to their own infrastructure to perform man-in-the-middle attacks and steal sensitive data.
- Network Disruption: The ability to modify routing and network policies can lead to widespread outages, crippling business operations.
- Espionage and Lateral Movement: The SD-WAN controller is a central pivot point. An attacker can use this access to map the internal network and move laterally to other critical systems.
- Persistent Foothold: By implanting SSH keys or other backdoors, the attacker can maintain long-term, stealthy access to the network.
Given that UAT-8616 is described as a
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The most critical mitigation is to apply the security updates provided by Cisco immediately to fix the vulnerability.
Restrict access to the SD-WAN management interface and associated ports (like UDP 12346) to trusted IP addresses and networks only.
Implement robust logging and monitoring for the SD-WAN environment, specifically auditing for unauthorized configuration changes, new user accounts, or modifications to SSH authorized keys.
Network Intrusion Prevention
Utilize an IDS/IPS to monitor for and potentially block malicious traffic patterns targeting the known vulnerable service and port.
Timeline of Events
Cisco becomes aware of limited, targeted exploitation of CVE-2026-20182.
Cisco publicly discloses the vulnerability and releases software updates.
CISA adds CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog.
Deadline set by CISA for US federal agencies to apply the patch.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.