CVE-2026-20182: Improper Authentication in Cisco Cisco Catalyst SD-WAN Manager
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
AI Analysis
Technical Summary
This vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager allows an unauthenticated remote attacker to bypass authentication. By sending crafted requests, the attacker can log in as a high-privileged internal user, gaining administrative access to the system and NETCONF interface, which controls network configuration for the SD-WAN fabric. The flaw exists due to improper functioning of the peering authentication process. Multiple product versions are affected. No vendor-provided patch or official remediation level is currently documented.
Potential Impact
Successful exploitation results in complete compromise of the affected Cisco SD-WAN system, including administrative access and full control over network configuration via NETCONF. This can lead to unauthorized changes in network behavior, potentially disrupting operations or enabling further attacks. The CVSS base score of 10.0 reflects critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should monitor Cisco advisories closely and consider limiting network exposure of affected systems. No vendor advisory content is provided indicating that the issue is already mitigated or that no action is required.
CVE-2026-20182: Improper Authentication in Cisco Cisco Catalyst SD-WAN Manager
Description
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager allows an unauthenticated remote attacker to bypass authentication. By sending crafted requests, the attacker can log in as a high-privileged internal user, gaining administrative access to the system and NETCONF interface, which controls network configuration for the SD-WAN fabric. The flaw exists due to improper functioning of the peering authentication process. Multiple product versions are affected. No vendor-provided patch or official remediation level is currently documented.
Potential Impact
Successful exploitation results in complete compromise of the affected Cisco SD-WAN system, including administrative access and full control over network configuration via NETCONF. This can lead to unauthorized changes in network behavior, potentially disrupting operations or enabling further attacks. The CVSS base score of 10.0 reflects critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should monitor Cisco advisories closely and consider limiting network exposure of affected systems. No vendor advisory content is provided indicating that the issue is already mitigated or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisco
- Date Reserved
- 2025-10-08T11:59:15.393Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05fd9dec166c07b0f930fa
Added to database: 5/14/2026, 4:51:41 PM
Last enriched: 5/14/2026, 5:07:37 PM
Last updated: 5/15/2026, 6:28:28 AM
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.