- Cisco patched a critical vulnerability (CVE-2026-20182) in its Catalyst SD-WAN software that has been exploited in limited attacks.
- The flaw, with a maximum CVSS score of 10.0, allows unauthenticated remote attackers to bypass authentication and gain administrative privileges.
- The vulnerability is similar to, but distinct from, a previously exploited issue (CVE-2026-20127) in the same ‘vdaemon’ service.
- Systems exposed to the internet are at increased risk, and Cisco advises immediate patching and log review.
In May 2026, Cisco urgently addressed a critical security flaw in its widely used networking software after discovering it was already being exploited by attackers. The vulnerability, present in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, poses a severe threat to network integrity worldwide.
An attacker could exploit the malfunctioning peering authentication mechanism by sending crafted requests to a target system. Consequently, they could bypass all authentication and obtain full administrative control.
The issue was discovered by researchers at Rapid7, who detailed their findings in a public blog post. They noted the flaw’s technical echoes in a separate, previously exploited vulnerability tracked as CVE-2026-20127.
“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127,” the researchers stated. However, they clarified that this is a different issue located in a similar part of the networking stack.
Successful exploitation grants attackers the ability to log in as a high-privileged user. They can then access sensitive interfaces to manipulate the configuration of the entire SD-WAN fabric.
The company’s official security advisory warned that internet-exposed systems are at the greatest risk. Consequently, Cisco is urging all impacted customers to apply updates immediately.
Organizations should audit their “/var/log/auth.log” file for unauthorized login attempts. Additionally, they must check for suspicious peering events from unrecognized IP addresses.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
