← All articles

Second maximum-severity Cisco Catalyst SD-WAN auth bypass exploited as a zero-day by sophisticated UAT-8616 actor - CISA gives federal agencies until May 17 to patch (CVE-2026-20182)

Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.

Check
Identify on-prem and cloud Cisco Catalyst SD-WAN Controller and Manager instances, compare any successful peer IPs to the configured System IPs under WebUI > Devices > System IP, and open a Cisco TAC case for unknown peers.
Affected
Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and Cisco-managed SD-WAN Cloud deployments. Maximum severity (CVSSv3 10.0).
Fix
Upgrade to the fixed releases listed in Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW immediately - CISA Emergency Directive 26-03 set the federal deadline at May 17, 2026. Restrict internet exposure of UDP/12346 to trusted peers only.