Cisco's Maximum-Severity SD-WAN Flaw Is Under Active Attack

Cisco has patched a flaw in its Catalyst SD-WAN Controller that carries the worst score the CVSS scale can give: a clean 10.0. Tracked as CVE-2026-20182, it lets an unauthenticated attacker bypass authentication entirely and take administrative control of the device. Cisco confirmed the flaw was already being exploited before the fix was available.

What Happened

The vulnerability sits in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage). By sending crafted requests to an affected system, a remote attacker with no credentials can log in as an internal, high-privileged account, then reach NETCONF and rewrite configuration across the SD-WAN fabric. Rapid7, which discovered the bug, traced it to the same vdaemon service over DTLS on UDP port 12346 that was behind an earlier 10.0-rated flaw, CVE-2026-20127. Cisco Talos is tracking live exploitation by a group it tracks as UAT-8616, and the US Cybersecurity and Infrastructure Security Agency has added the CVE to its Known Exploited Vulnerabilities catalogue with a federal patch deadline of 17 May 2026.

Why It Matters

An SD-WAN controller carries far more weight than an ordinary endpoint. It distributes routing and policy to every site in the network, so administrative access to it is effectively administrative access to the whole fabric. For Australian organisations running Cisco SD-WAN across branch offices, retail sites or operational technology environments, a compromised controller gives an attacker a quiet vantage point over traffic between every location. Talos reported that UAT-8616's post-compromise activity included adding SSH keys, changing NETCONF configuration and escalating to root.

What Security Teams Should Do Now

• Apply Cisco's updates for Catalyst SD-WAN Controller and Manager now, rather than waiting for the next maintenance window. This flaw is rated 10.0 and is being exploited.

• Confirm whether the controller or its management ports are reachable from the internet, and remove that exposure wherever it is not strictly required.

• Audit /var/log/auth.log for "Accepted publickey for vmanage-admin" entries originating from IP addresses you do not recognise.

• Review peering events for connections at unusual times, from unfamiliar addresses, or involving device types that do not match your architecture.

• Check for unexpected SSH keys, NETCONF configuration changes and signs of privilege escalation. Patching does not remove an attacker who is already inside.

• Treat the related advisories as part of the same job. CVE-2026-20127 and the February 2026 set (CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122) are also under active exploitation.

Aurian's Take

Edge and management devices have become a preferred way in. They sit at the network boundary, they run complex code, and they are often left out of the patching discipline applied to servers and laptops. CVE-2026-20182 is the second 10.0-rated authentication bypass in the same Cisco service within months, exploited by an actor that clearly knows the platform well. That pattern, where capable groups keep returning to the same class of device, the same daemon and the same port, points to deliberate targeting rather than chance.

Regular penetration testing exists to find this kind of exposure before an attacker does. A thorough security assessment maps what is genuinely reachable from the internet, questions why management interfaces are exposed at all, and tests whether authentication on critical infrastructure holds up under pressure. At Aurian, we see the same gap again and again: organisations are confident their web applications are tested, while the controllers, gateways and appliances that actually run the network rarely get the same scrutiny. Closing that gap is the difference between reading about UAT-8616 and hosting it.

A CVSS 10.0 under active exploitation is about as urgent as vulnerability management gets, and the gap between disclosure and a working exploit keeps narrowing. To find out how Aurian can help your organisation assess its exposure, get in touch.