Cisco disclosed CVE-2026-20182 on May 14 — a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller’s vdaemon service. Within 24 hours, CISA added it to the Known Exploited Vulnerabilities catalog with a Federal Civilian Executive Branch remediation deadline of May 17. Talos attributes ongoing exploitation to UAT-8616 with high confidence — the same actor behind February’s CVE-2026-20127 campaign in the same daemon.

If you run Catalyst SD-WAN Controller (formerly vSmart) or SD-WAN Manager (formerly vManage), patching by Sunday is not optional.

What is broken

The flaw lives in the peering authentication path of vdaemon, the service that handles control-plane traffic over DTLS on UDP port 12346. An unauthenticated remote attacker sends crafted peering requests, defeats authentication, and is granted administrative access to the controller as an internal, high-privileged non-root user. From that foothold, the attacker has full NETCONF access to manipulate the SD-WAN fabric configuration — and, in observed exploitation, has been injecting attacker-controlled public keys into the vmanage-admin user’s authorized_keys file to establish persistent SSH access.

Cisco’s advisory is explicit that this is not a patch bypass of CVE-2026-20127. It is a distinct logic defect in a different part of the same networking stack. Same daemon, same DTLS port, same effective outcome: unauthenticated admin on the device that controls your branch routing.

CWE classification is 287 (Improper Authentication). CVSS vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — network-reachable, no auth, no interaction, scope-changing, full triad impact.

Affected versions and fixes

Cisco shipped fixed releases on disclosure day:

  • Release 20.9 → 20.9.9.1
  • Release 20.10 / 20.11 → 20.12.7.1
  • Release 20.12 → 20.12.5.4, 20.12.6.2, or 20.12.7.1
  • Release 20.15 → 20.15.4.4 or 20.15.5.2
  • Release 20.18 → 20.18.2.2
  • Release 26.1 → 26.1.1.1
  • Cisco Managed Cloud 20.15.506 → remediated server-side without customer action

There is no configuration workaround. Cisco’s guidance is direct: upgrade.

Who is exploiting it

Talos clusters the activity under UAT-8616, the same actor responsible for the multi-year exploitation of CVE-2026-20127 in this exact daemon. The post-compromise playbook is essentially unchanged from the February campaign:

  1. Auth bypass against vdaemon on UDP/12346.
  2. Authenticate to NETCONF as vmanage-admin.
  3. Drop an attacker SSH key into ~vmanage-admin/.ssh/authorized_keys.
  4. Establish persistent SSH back to the controller.
  5. Pivot into the data plane via SD-WAN fabric configuration changes.

UAT-8616’s tooling is well-developed and the actor has demonstrated patience — the Talos writeup describes a three-year operational lifecycle against the same controller class. The reuse of post-exploitation TTPs across CVE-2026-20127 and CVE-2026-20182 suggests this is a dedicated SD-WAN access broker, not opportunistic crime.

CISA Emergency Directive

CISA added CVE-2026-20182 to the KEV catalog on May 15. Federal Civilian Executive Branch agencies have until May 17 to remediate. The two-day deadline is unusually short and reflects both the CVSS 10 severity and the active exploitation evidence Cisco and Talos brought to the disclosure.

Detection

If you cannot patch immediately, hunt for the post-compromise indicators:

  • New SSH keys in /home/vmanage-admin/.ssh/authorized_keys on controllers that you did not deploy.
  • Unexpected NETCONF sessions from non-management subnets.
  • Outbound SSH connections from the controller to unfamiliar IPs.
  • New or modified SD-WAN policies, templates, or tunnel configurations without a corresponding change ticket.
  • DTLS traffic on UDP/12346 from outside your management network.

Compare the controller’s running configuration against your last known-good template; UAT-8616’s NETCONF activity is visible in audit logs if those are being shipped off-box.

Mitigation steps

  1. Apply the fixed release matching your major version. There is no workaround — upgrade is the only path.
  2. Restrict UDP/12346 to known SD-WAN peer addresses at your edge firewall. The vulnerable service should never be exposed to the public internet.
  3. After upgrade, rotate any SSH keys present in vmanage-admin’s authorized_keys. Treat all entries as suspect.
  4. Audit NETCONF session history and SD-WAN policy diffs for the last 90 days.
  5. If indicators of compromise are present, rebuild the controller from a known-clean image and rotate fabric-wide credentials.

References

Two unauthenticated CVSS-10 bypasses in the same daemon, exploited by the same actor, across three years. If your SD-WAN deployment has not been getting a security architecture review, it has earned one.