Cisco Patches Exploited SD-WAN Zero-Day Vulnerability CVE-2026-20182

Post Views: 4

Cisco Patches Another Actively Exploited SD-WAN Zero-Day Vulnerability

A sophisticated cyber threat actor has been exploiting a zero-day vulnerability in the Cisco Catalyst SD-WAN Controller authentication mechanism, allowing them to gain elevated access to the system.

According to researchers at Rapid7, the vulnerability, identified as CVE-2026-20182, affects both the SD-WAN Controller and SD-WAN Manager components of the Cisco Catalyst SD-WAN solution.

The vulnerability resides in the “vdaemon” networking stack, specifically in the DTLS protocol used by the vdaemon service over UDP port 12346. Attackers can exploit this vulnerability to become an authenticated peer of the target appliance, enabling them to inject an attacker-controlled public key into the vmanage-admin user account’s authorized SSH keys file.

Once an attacker gains access to the NETCONF service via SSH over TCP port 830 as the vmanage-admin user, they can issue arbitrary NETCONF commands to reconfigure the SD-WAN fabric. Cisco has tied the exploitation of both vulnerabilities to a group dubbed UAT-8616, which has been linked to previous attacks on Cisco systems.

Exploitation Details

Attackers can exploit this vulnerability to become an authenticated peer of the target appliance.
They can inject an attacker-controlled public key into the vmanage-admin user account’s authorized SSH keys file.
Once an attacker gains access to the NETCONF service via SSH over TCP port 830 as the vmanage-admin user, they can issue arbitrary NETCONF commands to reconfigure the SD-WAN fabric.

Patch Release

Cisco has released a software update to address the issue and recommends that customers upgrade to a fixed software release and review their SD-WAN Controller logs for suspicious activity related to accepted public keys from unknown or unauthorized IP addresses.

Additional Fixes

Cisco has also pushed out fixes for an information disclosure (CVE-2026-20224) and two privilege escalation vulnerabilities (CVE-2026-20209 and CVE-2026-20210) affecting Cisco Catalyst SD-WAN Manager, although these are not believed to have been exploited.

Indicators of Compromise

Researchers at Cisco Talos have published indicators of compromise and additional information on ongoing attacks perpetrated by exploiting various vulnerabilities in Cisco Catalyst SD-WAN Manager.