PatchDay Alert
Analysis · 6 min read · 1,267 words By The Commentary Desk · Commentary

Rapid7 found a second CVSS 10 in Cisco SD-WAN while researching the first

Two unauthenticated auth bypasses in the same Cisco vdaemon in under three months, both being exploited by the same actor that has been sitting in critical-infrastructure fabrics since 2023.

Rapid7 found a second CVSS 10 in Cisco SD-WAN while researching the first

Rapid7 was researching February’s CVE-2026-20127 when it found CVE-2026-20182. Same daemon. Same code path region. Different logic gap. Cisco shipped the fix today, and Cisco Talos confirmed active in-the-wild exploitation on the same day.

This is the second CVSS 10.0 unauthenticated authentication bypass in Cisco’s vdaemon service in under three months. Both affect Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). Both are being exploited by the same actor cluster, UAT-8616, which Talos traced back to at least 2023 in its February write-up.

Rapid7 is explicit that the new bug is not a patch bypass of the February CVE. It is a separate flaw the original code review missed.

What the bug actually is

vdaemon is the control-plane peering daemon. It listens on UDP/12346 with DTLS and brokers Overlay Management Protocol traffic across every controller and edge in the fabric. Anyone authenticated to it as a peer effectively holds the routing fabric.

Per Rapid7’s disclosure, the post-DTLS handshake sends a CHALLENGE carrying 256 random bytes and CA public-key components, then expects the client’s CHALLENGE_ACK to go through device-type-specific certificate verification. There is no verification path for device type 2, the vHub type. A client that declares itself a vHub is accepted as a fully authenticated control-plane peer with no certificate, no PSK, no credential of any kind. Just a correctly structured handshake message.

Once peered, Cisco’s advisory confirms the attacker can inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys. That account is the internal NETCONF service identity used between vManage and vSmart on TCP/830, so the planted key buys password-less NETCONF access across the fabric.

CVE-2026-20127, disclosed February 25, was a different miss in the same daemon: an authentication gate in vbond_proc_msg() exempted CHALLENGE_ACK_ACK (msg_type 10) entirely, letting an attacker flip the peer’s authenticated flag by sending a forged ACK with verify_status=1. Two control-plane authentication bypasses, three months apart, both unauthenticated, both CVSS 10. The kindest reading is that whoever audited vdaemon in response to the first bug stopped looking at the handshake state machine before they reached device type 2.

The actor was already inside

Talos’s February write-up traces UAT-8616 exploitation of the earlier CVE back to at least 2023, with targeting focused on critical-infrastructure sectors globally. The campaign has been running for roughly three years. The February joint advisory co-sealed by CISA, NSA, NCSC-UK, ASD’s ACSC, CCCS, and NCSC-NZ declined to attribute to a state sponsor. Talos calls UAT-8616 “highly sophisticated” and leaves it there. Year-scale dwell and CI targeting are suggestive. They are not attribution, and the public record does not currently support more than that.

The post-compromise playbook Talos documents is the most operationally telling detail in the file. After gaining high-privileged non-root access through the auth bypass, the actor deliberately downgrades the SD-WAN software to a build still vulnerable to CVE-2022-20775, exploits that older CLI LPE for root, then restores the original patched version to reduce forensic visibility. Whoever built this knows Cisco’s SD-WAN release management well enough to weaponize the legitimate update path.

Talos describes the CVE-2026-20182 exploitation wave as “limited so far.” Read with the timeline in mind: Cisco reserved the CVE on April 21, coordinated fixed versions with Rapid7 on April 24, and disclosed today. The actor has had at most three weeks to pivot.

What to patch, with an asterisk

The advisory covers both Controller and Manager. There is no workaround. The vulnerable listener is the same UDP/12346 socket that runs the overlay; you cannot disable it without breaking the fabric.

The version matrix below is inferred from the parallel CVE-2026-20127 advisory, because the primary Cisco advisory page for CVE-2026-20182 returned HTTP 403 during research, and the sources reference two different advisory IDs (cisco-sa-sdwan-rpa2-v69WY2SW and cisco-sa-sdwan-authbp-qwCX8D4v). Verify the exact fixed-version strings against the live advisory before scheduling a maintenance window. Do not assume that the build you took in February for 20127 also fixes 20182.

Affected trainFirst fixed release
20.9.x20.9.8.2
20.12.5.x20.12.5.3
20.12.6.x20.12.6.1
20.13.x / 20.14.x / 20.15.x20.15.4.2
20.16.x / 20.18.x20.18.2.1

Trains 20.11, 20.13 standalone, and 20.16 are listed as End of Software Maintenance. Anyone on those lines has to migrate to a supported train before they can take the fix. That is an upgrade project, not a maintenance window.

There is no public PoC for CVE-2026-20182 as of this writing, and no public Snort or Suricata rule. Rapid7’s CVE-2026-20127 PoC covers the broader handshake flow but not the new vHub bypass.

Why this keeps happening

CISA had to issue Emergency Directive ED 26-03 in February directing federal agencies to isolate SD-WAN management interfaces from the public internet. That this needed to be directed at all says everything about the operating model.

SD-WAN controllers were designed and sold as network infrastructure. Cloud-managed and hybrid deployments routinely put vManage on the public internet. Operations teams managing those controllers tend to apply a “managed infrastructure” mental model to a thing that is in fact an internet-facing application with a control-plane daemon listening on UDP. The mental model gap is the structural bug. The CVE just happens to be the part of it that gets a number.

The vendor record on this product family is not new either. Cisco’s May 2021 vManage cluster advisory bundled CVE-2021-1468 and CVE-2021-1497, both unauthenticated paths into the same platform. Versa Director had CVE-2024-39717, exploited by Volt Typhoon since at least June 2024. Fortinet’s FortiManager shipped CVE-2024-47575 last October, also missing authentication, also exploited as a zero-day. Aruba EdgeConnect had auth bypass in 2022.

Different vendors, same architecture, same class of bug. That is the pattern. The fact that the second Cisco one was found while reviewing the first is the part that should not be reassuring.

What to do Monday morning

Pull /var/log/auth.log on every vSmart and vManage node. Grep for Accepted publickey for vmanage-admin and cross-reference source IPs against the configured System IP list. Talos’s IOC list also flags abnormally small or zero-byte auth logs as a high-fidelity sign of post-compromise cleanup. If the log is suspiciously empty, treat the host as compromised without waiting for a smoking gun.

At the network layer: allowlist UDP/12346, TCP/830, and TCP/22 to known SD-WAN peers and drop everything else at the perimeter. Rapid7 notes these are typically blocked by default in Cisco-hosted cloud deployments. On-prem is where this hurts.

Cisco had nearly two months between the February 25 disclosure of CVE-2026-20127 and the April 21 reservation of CVE-2026-20182. That is the window in which an outside research firm, holding the first bug, kept reading the same daemon and found the second one. The vendor sitting on the source code did not get there first. PatchDay Alert covers the actively-exploited control-plane bugs the day they ship, with the fixed-version detail you actually need to schedule the change.

Sources

Share

X LinkedIn Facebook Email
Tags #cisco #sd-wan #vulnerability

Related field notes

One email, every weekday morning.

You're in. Check your inbox.

Get the digest

Free. Weekday mornings. Plain English CVE triage.

Check your inbox to confirm.