Executive Summary

    On May 14th, Cisco published an advisory detailing a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN controller infrastructure. The vulnerability, tracked as CVE-2026-20182, is a peering authentication bypass between SD-WAN infrastructure components and is similar to a vulnerability discovered 3 months prior.

    Active exploitation has been confirmed in the wild, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Line the vulnerability reported in late February, this flaw allows an unauthenticated attacker the ability to bypass authentication and create a rogue peer to a victim’s SD-WAN controller. Through creating a rogue peer, an attacker can advance to gain high privileged access into the ecosystem and manipulate configurations via NETCONF.

    Beazley Security recommends that affected organizations check for signs of compromise, and upgrade to fixed versions of SD-WAN software immediately.

    Affected Systems or Products

    Cisco Catalyst SD-WAN Version

    Affected Version

    Fixed Version

    20.9

    < 20.9.9.1

    20.9.9.1

    20.12

    < 20.12.5.4

    < 20.12.6.2

    < 20.12.7.1

    20.12.5.4

    20.12.6.2

    20.12.7.1

    20.15

    < 20.15.4.4

    < 20.15.5.2

    20.15.4.4

    20.15.5.2

    20.16, 20.17, 20.18

    < 20.18.2.2

    20.18.2.2

    Please note that 20.10, 20.11, 20.13, 20.15, and 20.16 are EOL, and affected clients are recommended to upgrade to a supported release.

    Mitigations / Workarounds

    Cisco has released software updates addressing CVE-2026-20182 and applying the vendor provided patches is the recommended course of action to reduce risk.

    Beyond patching, organizations should consider reviewing Cisco’s SD-WAN hardening guide including steps to:

    • Inventory and audit expected peer networks within SD-WAN infrastructure

    • Reduce internet exposure by locking SD-WAN controller peering services down to known and authorized peer networks.

    • Restrict access to SD-WAN controller and management planes to a dedicated administrative network

    Affected organizations that are unable to immediately patch should ensure strict network access controls are in place around SD-WAN controllers and check audit logs for any signs of compromise.

    Patches

    At the time of writing, Cisco has released fixes for all supported versions of their Catalyst SD-Wan solutions. Please see the Affected System and Products section above in this report for additional information on affected versions and fixes.

    Cisco has produced a remediation guide that includes links to fixed software for the identified vulnerabilities. The vendor also hosts a software download center requiring login.

    Alternatively, customers can contact Cisco’s Technical Assistance Center (TAC) to request additional response and software upgrade support.

    Indicators of Compromise

    Cisco Talos is tracking this campaign through an official threat advisory and are attributing attacks to threat actor UAT-8616, describing the group as a “highly sophisticated cyber threat actor”. The same group is believed to be responsible for peering attacks performed against CVE-2026-20127 in February. Beazley Security recommends affected organizations review the Talos threat advisory for continuous updates regarding in the wild exploitation and observed IoCs in the community.

    Cisco also released a remediation guide containing upgrade instructions and verification checks, importantly including the below command to search /var/log vsyslog* (exampled), messages*, and vdebug* files for unauthorized peers:

    awk '{
    match($0, /peer-type:([a-zA-Z0-9]+)[^ ]* peer-system-ip:([0-9.:]+)/, arr);
    if(arr[1] && arr[2]) print "(" arr[1] ", " arr[2] ")";
    }' vsyslog* | sort | uniq

    Cisco’s remediation guide contains other helpful hunting tips and verification checks and can be accessed at this link.

    Technical Details

    CVE-2026-20182 was found by Rapid7 while they were studying CVE-2026-20127. Both vulnerabilities affect the same “vdaemon” service.

    The Rapid7 analysis article is meticulously detailed and deserves a read-through, however we will summarize high level details of the flaw below. The specific section of code where the bug is located assists with peer certificate validation for SD-WAN implementations. Within the code exists function logic for explicitly noted pairing combos (i.e. vSmart-to-vSmart or vManage-to-vSmart) but critically, the function:

    • has no defined logic or authentication checks if the remote device claims it is a vHub, and

    • the function does not “fail closed”

    This means all a threat actor needs to do is initiate a peering session with the target and masquerade as a vHub. The bug will cause the targeted appliance to skip verifying certificates for the incoming request and log the attacker-controlled device as a legitimate peer.

    A device peer has a lot of power within Cisco’s SD-WAN fabric, and Rapid7 included details on how to inject an attacker-controlled SSH key onto compromised devices.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

    Sources