CVE-2026-20182: CVSS 10.0 Cisco SD-WAN Authentication Bypass — 11 Threat Actor Clusters Are Inside Enterprise Networks Right Now

Sources: Cisco Talos Intelligence · Rapid7 Labs · Tenable RSO · SOCRadar · SOCPrime · DailyCVE · SecurityWeek · The Hacker News · CISA Emergency Directive 26-03 · Cisco Official Security Advisory | CVE: CVE-2026-20182 | CVSS: 10.0 Critical (maximum) | Discovered by: Stephen Fewer & Jonah Burgess, Rapid7 | CISA KEV: Added May 14, 2026 | Federal patch deadline: May 17, 2026

A perfect ten — and attackers are already inside

A CVSS score of 10.0 is extraordinarily rare. It is the maximum possible rating — reserved for vulnerabilities that are remotely exploitable, require zero authentication, have zero complexity requirements, need zero user interaction, and result in complete compromise of confidentiality, integrity, and availability across all three impact dimensions simultaneously. In the entire history of the CVSS scoring system, only a handful of vulnerabilities have earned a perfect ten. CVE-2026-20182 is one of them.

Cisco disclosed CVE-2026-20182 on May 14, 2026 — an authentication bypass in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). An unauthenticated remote attacker sends four crafted DTLS packets to UDP port 12346, becomes a trusted control-plane peer of the target, and gains full administrative access to the SD-WAN fabric. From that position, they can read and rewrite network routing policy across the entire enterprise WAN. The attack has been confirmed in the wild. CISA issued Emergency Directive 26-03 the same day, giving federal agencies three days to patch — a deadline that expires May 17, 2026.

What Cisco SD-WAN is — and why compromising it is catastrophic

To understand why this vulnerability matters so much, you need to understand what Cisco Catalyst SD-WAN does. SD-WAN — Software-Defined Wide Area Network — is the technology that enterprises use to manage their entire network of branch offices, data centers, cloud connections, and remote sites from a single centralized control plane. Instead of manually configuring routers at each location, SD-WAN lets network teams define routing policies centrally and push them everywhere at once.

The Cisco Catalyst SD-WAN Controller is the central brain of this system. It maintains the routing topology, distributes Overlay Management Protocol (OMP) messages, manages Transport Location (TLOC) tables, and orchestrates peer state across the entire SD-WAN overlay fabric. Compromising the SD-WAN Controller means compromising the network itself. An attacker with administrative access to the Controller can redirect traffic, intercept communications, modify routing policies to create backdoor paths, and pivot to every device connected to the fabric — branch offices, data centers, cloud workloads, and any system that routes through the SD-WAN overlay.

Cisco Catalyst SD-WAN is deployed by telecommunications companies, financial institutions, government agencies, healthcare networks, and large enterprises — exactly the environments where network-level access carries the greatest intelligence and extortion value. Cisco Talos confirmed that UAT-8616, the primary threat actor exploiting this vulnerability, has specifically targeted SD-WAN instances belonging to telecoms, financial services, government contractors, and healthcare organizations.

How the exploit works: four packets to full control

The vulnerability lives in the vdaemon service — the process responsible for SD-WAN control-plane peer authentication. vdaemon communicates over DTLS (Datagram Transport Layer Security) on UDP port 12346. This port carries Overlay Management Protocol messages, route advertisements, TLOC tables, and peer state — the entirety of the SD-WAN fabric’s control plane.

Authentication in SD-WAN is supposed to work by having peers prove their identity during the DTLS handshake. Rapid7’s research revealed a critical logic flaw: when a connecting peer claims to be a vHub device (device_type=2) during the challenge-response phase, the vdaemon code skips device-type-specific certificate verification but still marks the peer as authenticated. The four-packet sequence that exploits this is:

1. DTLS ClientHello — The attacker sends a DTLS ClientHello to UDP port 12346 using any self-signed certificate. The server logs an error but continues processing.
2. CHALLENGE received — The vulnerable controller responds with a CHALLENGE message (msg_type=8) containing 256 random bytes, asking the peer to prove its identity.
3. CHALLENGE_ACK forged — Instead of providing cryptographic proof, the attacker replies with a CHALLENGE_ACK (msg_type=9) claiming device_type=2 (vHub). Because vHub-type peers bypass the certificate verification path, the code marks the peer as authenticated without actually verifying any credentials.
4. Hello message — The attacker sends a Hello message that pushes the peer relationship into the UP state — a fully trusted, authenticated control-plane peer.

That’s it. No brute force. No race condition. No complex memory manipulation. Four packets, and the attacker is a trusted member of the SD-WAN control plane. Rapid7 has published a Metasploit module implementing this sequence, making it immediately accessible to any attacker with the module installed.

What UAT-8616 does after getting in

Cisco Talos has tracked the post-exploitation behavior of UAT-8616 across multiple compromises with high confidence. The playbook is systematic, persistent, and specifically designed to survive remediation attempts:

• SSH key injection. The attacker adds their own public key to the vmanage-admin user’s authorized_keys file, establishing persistent remote access that survives password resets.
• NETCONF manipulation. Using NETCONF access that comes with administrative privileges, the attacker modifies routing configuration across the SD-WAN fabric — redirecting traffic, creating backdoor routing rules, or establishing persistent tunnels for long-term data access.
• Root privilege escalation via version downgrade. After gaining the high-privileged non-root account, UAT-8616 performs a software version downgrade on the controller to expose the older CVE-2022-20775 vulnerability, achieves root-level access, then restores the original software version to conceal the exploitation path. This technique is designed specifically to defeat forensic analysis — an investigator reviewing the running software version would see the current patched version and miss the downgrade-escalate-restore chain entirely.
• PermitRootLogin modification. The SSH daemon configuration is modified to enable direct root login, providing an additional persistent access path.
• Comprehensive log clearing. UAT-8616 systematically wipes forensic evidence from syslog, wtmp, lastlog, bash_history, and cli-history. Cisco Talos explicitly noted that log clearing was observed in compromised environments, making timeline reconstruction extremely difficult.

DailyCVE summarized the post-exploitation access as effectively “God Mode” on the network — the ability to intercept traffic, modify routing policies, implant persistent backdoors in the network fabric, and pivot laterally to any system connected to the SD-WAN overlay.

Eleven threat actor clusters — this is not targeted espionage alone

What makes the current Cisco SD-WAN exploitation campaign particularly alarming is its breadth. Cisco Talos has identified eleven distinct threat actor clusters currently exploiting Cisco SD-WAN vulnerabilities — UAT-8616 plus 10 additional clusters. UAT-8616 is exploiting CVE-2026-20182 (the new CVSS 10.0 flaw) and the earlier CVE-2026-20127. The 10 additional clusters have been exploiting the CVE-2026-20133 / CVE-2026-20128 / CVE-2026-20122 chain since March 2026, following the publication of proof-of-concept code by ZeroZenX Labs.

UAT-8616 is described by Talos as “a highly sophisticated cyber threat actor” whose infrastructure overlaps with monitored Operational Relay Box (ORB) networks — a routing technique commonly associated with nation-state actors who use compromised third-party infrastructure to obscure their origin. Talos has not attributed UAT-8616 to a specific nation state, but the targeting profile — critical infrastructure, telecoms, financial services, government contractors — and the technical sophistication of the post-exploitation tradecraft are consistent with state-aligned APT behavior. UAT-8616 has been exploiting Cisco SD-WAN infrastructure continuously since at least 2023.

The 10 additional clusters represent a different threat category — opportunistic actors leveraging the publicly available PoC code from ZeroZenX Labs to compromise unpatched systems at scale. These clusters have been observed deploying webshells on compromised SD-WAN Manager instances, indicating a mix of persistence and data access objectives distinct from UAT-8616’s network-level manipulation focus.

The five CVEs you need to understand together

The current SD-WAN exploitation campaign involves a cluster of related vulnerabilities that threat actors are chaining together. Understanding all five is essential for scoping your remediation:

• CVE-2026-20182 (CVSS 10.0) — The new authentication bypass in vdaemon control-plane peering. Exploited by UAT-8616. Metasploit module public.
• CVE-2026-20127 (CVSS 10.0) — A prior authentication bypass in the same vdaemon service. Also exploited by UAT-8616. Patched in February 2026 but many systems remain unpatched.
• CVE-2026-20133 / CVE-2026-20128 / CVE-2026-20122 — Three vulnerabilities in SD-WAN Manager that, when chained together, allow remote unauthenticated access. Exploited by 10 additional threat clusters since March 2026 after ZeroZenX Labs published PoC code. Patched in February 2026.
• CVE-2022-20775 — An older vulnerability used by UAT-8616 for post-exploitation root privilege escalation via the version downgrade technique. Not the initial entry point but weaponized after gaining the administrative account.

If your SD-WAN deployment is running versions that predate the February 2026 patches, you are exposed to all five vulnerabilities simultaneously. If you applied the February patches but not the May 14 patches, you are still exposed to CVE-2026-20182.

How to detect if you have already been compromised

Because UAT-8616 clears logs aggressively, standard log review may be insufficient. Cisco has published specific detection guidance that security teams should execute immediately on any SD-WAN Controller or Manager that may have been exposed:

• Review /var/log/auth.log for entries showing Accepted publickey for vmanage-admin from IP addresses that are not in your known authorized infrastructure list. Any unknown IP that successfully authenticated as vmanage-admin is a confirmed compromise indicator.
• Run show control connections on all SD-WAN Controllers and manually validate every peering event. Pay specific attention to vmanage peering types from unexpected IP addresses or at unexpected times.
• Check authorized_keys files on all Controller and Manager nodes for any SSH public keys not in your authorized inventory.
• Audit NETCONF configuration history for unauthorized routing policy changes, new peer definitions, or traffic redirection rules.
• Review software version history. UAT-8616 performs version downgrades and restores — look for version change events in controller logs that do not correspond to authorized maintenance windows.
• Check SSH daemon configuration for PermitRootLogin yes — this is not a default setting and its presence strongly indicates post-exploitation modification.
• Collect the admin-tech bundle from each control component using request admin-tech before opening a Cisco TAC case — this preserves the forensic state that TAC engineers need to assess compromise scope.

Remediation steps

1. Upgrade to the fixed software release for your version train immediately. Consult Cisco’s official security advisory at cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW for the specific fixed version for your deployment. All supported Cisco Catalyst SD-WAN release trains have fixes available.
2. Apply all prior February 2026 patches if you have not done so. CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 all have available patches from February 2026 that many organizations still have not applied.
3. If you cannot patch immediately, restrict access to UDP port 12346. Block inbound DTLS traffic to SD-WAN Controller and Manager nodes from any IP address that is not a legitimate SD-WAN peer in your environment. This is a firewall ACL change, not a software mitigation, and it directly removes the attack surface for CVE-2026-20182.
4. Conduct the detection checks listed above on all Controller and Manager nodes immediately. Do not wait for patching to complete before running the compromise assessment. If UAT-8616 has already been in your environment, patching alone does not remove the SSH keys, modified daemon configs, or NETCONF changes they may have made.
5. If you suspect compromise, open a Cisco TAC case as Severity 3 with “CVE-2026-20182” in the title. Collect and provide the admin-tech bundle from all control components. Cisco TAC has a dedicated remediation guide: “Remediate Catalyst SD-WAN Security Advisory — May 2026.”
6. Federal agencies must comply with CISA Emergency Directive 26-03 by May 17, 2026. The directive requires applying mitigations and reporting status to CISA. Non-federal organizations should treat this deadline as a strong signal of the urgency — CISA emergency directives are reserved for actively exploited critical infrastructure threats.

The bigger picture: 15 Cisco SD-WAN CVEs on CISA KEV in 2026

CVE-2026-20182 is not an isolated incident. CISA’s Known Exploited Vulnerabilities catalog now lists 15 Cisco SD-WAN vulnerabilities, and the pace of discovery is accelerating. Five of those 15 were added in 2026 alone — and we are only in May. The back-to-back critical authentication bypasses in the same vdaemon service (CVE-2026-20127 in February and CVE-2026-20182 in May) represent a pattern of sustained, sophisticated focus by nation-state-linked threat actors on Cisco SD-WAN infrastructure specifically.

SecurityWeek described CVE-2026-20182 as “the sixth exploited SD-WAN vulnerability in 2026” — a rate of roughly one exploited SD-WAN CVE per month this year. Organizations running Cisco SD-WAN that have not established a rapid patch cadence for this product family are systematically behind threat actors who have made it a priority target. The combination of maximum CVSS scores, public Metasploit modules, active exploitation by 11 distinct clusters, and a CISA emergency directive all point to the same conclusion: this is the network security event of the week, and the response needs to be proportional.

Sources and further reading

• Cisco Talos — Ongoing Exploitation of Cisco Catalyst SD-WAN Vulnerabilities
• Rapid7 Labs — CVE-2026-20182: Critical Authentication Bypass in Cisco Catalyst SD-WAN Controller
• Tenable RSO — FAQ: Continued Exploitation of Cisco Catalyst SD-WAN Vulnerabilities
• The Hacker News — Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited
• SecurityWeek — Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
• SOCRadar — CVE-2026-20182: Cisco Catalyst SD-WAN Auth Bypass Added to CISA KEV
• SOCPrime — CVE-2026-20182: Cisco SD-WAN Auth Bypass Technical Analysis
• CISA — Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems

DataWater publishes a daily cybersecurity threat brief sourced from the most reliable security research organizations. Article #11 — May 16, 2026. Previous: NGINX Rift CVE-2026-42945 (May 14) · Dead.Letter CVE-2026-45185 (May 13) · CVE-2026-0300 Palo Alto PAN-OS (May 13) · Copy Fail CVE-2026-31431 (May 7) · CVE-2026-3854 GitHub RCE (May 3).