Contact us
Contact us

News

About

Home Crypto News Attackers Exploited SD-WAN Controller Auth Bypass, Cisco Warns

Attackers Exploited SD-WAN Controller Auth Bypass, Cisco Warns

Author Whitewallet Research
Posted: 14 May 2026, 19:19 CET 2 min read

Cisco reports an authentication bypass in Catalyst SD-WAN Controller (CVE-2026-20182) was exploited, allowing unauthenticated remote actors to gain administrative access.

Cisco released security updates after detecting limited exploitation of an authentication bypass in Catalyst SD-WAN Controller (CVE-2026-20182) in May 2026. The company assigned the vulnerability a CVSS score of 10.0 and said the flaw affects on-prem deployments, Cisco’s managed cloud offering and the FedRAMP-authorized SD-WAN for Government service.

The issue stems from a malfunction in the controller’s peering authentication mechanism. An attacker who sends specially crafted requests can log in as an internal, high-privileged, non-root account on the controller and then use that access to reach NETCONF and modify the SD-WAN fabric’s network configuration. Cisco noted that controllers reachable from the public internet with exposed ports face heightened risk of compromise.

Security firm Rapid7, which reported the flaw, linked the issue to the same vdaemon service involved in a prior critical bypass, CVE-2026-20127, which also carried a CVSS score of 10.0 and was tracked as exploited by a persistent threat actor since at least 2023. Rapid7 researchers Jonah Burgess and Stephen Fewer wrote, “The new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127.” They added, “The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.”

Cisco urged customers to apply the available updates immediately and to review systems for signs of compromise. As indicators of possible exploitation, Cisco recommended auditing the /var/log/auth.log file for entries such as “Accepted publickey for vmanage-admin” originating from unknown or unauthorized IP addresses. Administrators were also advised to check logs for suspicious peering events, including unauthorized peer connections at unusual times, connections from unrecognized IP addresses, or device types that do not match the expected environment.

NETCONF is the protocol used to install, change and remove network device configuration. Unauthorised access to NETCONF can permit an attacker to alter routing policies, push malicious configurations or disrupt service.

Cisco has published mitigation steps and update guidance for affected customers and repeated the need for patching and log monitoring. The vulnerability follows an earlier critical bypass in the same service and was confirmed to have seen limited exploitation in May 2026.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE