Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

Back
New CVE Detected

CVE-2026-20182 – Authentication bypass in Cisco Catalyst SD-WAN (vManage / vSmart) allowing administrative access

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge

Summary

CVE-2026-20182 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly SD‑WAN vSmart) and Cisco Catalyst SD‑WAN Manager (formerly SD‑WAN vManage). An unauthenticated, remote attacker can exploit a flaw in the peering authentication mechanism to bypass authentication and obtain high-privileged administrative access to an affected system.

Key details

  • Vulnerability type: Authentication bypass (CWE-287)
  • Affected products: Cisco Catalyst SD‑WAN Controller (vSmart) and Cisco Catalyst SD‑WAN Manager (vManage)
  • Attack vector: Network (remote, unauthenticated)
  • CVSS v3.1: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) — Critical
  • Impact: Confidentiality, Integrity, and Availability — High

Technical impact

  • The flaw stems from an issue in the peering authentication mechanism used by the SD‑WAN control plane.
  • A successful exploit allows an attacker to log in to the SD‑WAN Controller/Manager as an internal, high‑privileged, non‑root user.
  • With this access, an attacker can reach NETCONF interfaces and manipulate SD‑WAN network configuration, potentially causing network disruption, configuration rollback/poisoning, traffic interception, or broader lateral movement across the SD‑WAN fabric.

Exploitation and activity

  • Public reporting and vendor/telemetry sources indicate active exploitation/targeting is being tracked by security teams. Organizations should treat exposed management/control plane instances as high risk.

Mitigation and recommendations

  • Apply vendor-provided patches immediately. Cisco has published security advisories with remediation and guidance — consult the Cisco advisories linked below for fixed releases and step-by-step instructions.
  • If immediate patching is not possible, implement compensating controls:
    • Restrict network access to management/control plane interfaces (limit to trusted admin networks and management VPNs).
    • Use strict ACLs and firewalling to block unauthenticated access to vManage/vSmart management endpoints.
    • Monitor logs and NETCONF activity for unexpected configuration changes and anomalous authentication events.
    • Follow the vendor guidance (including the "Show Control Connections" checks referenced in the advisory) to validate system state and connectivity.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

  • Mapping of all Assets with this Technology
  • Identification of potentially exposed assets to this CVE
  • Confirmation of verified exploitable assets
Get Exposure Report
Close

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge