CVSS 10.0: Cisco Catalyst SD-WAN Just Handed Attackers Your Entire Overlay
CVE-2026-20182 landed in CISA's Known Exploited Vulnerabilities catalog yesterday. CVSS 10.0. Emergency Directive 26-03. Federal agencies patch by tomorrow. UAT-8616 is not waiting for your change management window. Here's what the flaw does, who's behind it, and exactly what to run before you close this tab.
CISA Emergency Directive 26-03
CVE-2026-20182 hit CISA's Known Exploited Vulnerabilities catalog on May 14. CISA issued Emergency Directive 26-03 the same day. Federal agencies must patch by May 17. That is tomorrow. If you run Cisco Catalyst SD-WAN Controllers anywhere in your environment — on-prem, cloud-hosted, in a hybrid fabric — this is not a “patch in the next cycle” conversation. UAT-8616 is actively exploiting this right now.
10.0
CVSS Score
Maximum severity. Authentication bypass with no prerequisites.
ED 26-03
CISA Emergency Directive
Federal patch deadline: May 17, 2026.
UAT-8616
Active Threat Cluster
Cisco Talos-tracked. ORB infra. Confirmed active exploitation in the wild.
What the Flaw Actually Does
The vulnerability lives in the vdaemon service on UDP port 12346 — the DTLS-over-UDP control-plane peering port. This is the channel Cisco Catalyst SD-WAN Controllers use to establish and authenticate overlay fabric connections between sites. It is the trust anchor of the entire architecture.
Attack Path — No Credentials Required
Attacker → UDP port 12346 → crafted DTLS packets
→ vdaemon auth bypass
→ logs in as high-privileged internal account
→ NETCONF access
→ full SD-WAN overlay configuration rewrite
(routes, policies, TLOCs, all of it)An unauthenticated remote attacker sends crafted packets to the vdaemon service, bypasses authentication entirely, and gains NETCONF access. NETCONF is the management protocol that controls your SD-WAN overlay configuration. Routes. Policies. TLOCs. Everything. The attacker does not need to be on your network. They need reachability to UDP 12346 on the controller.
This is not a bypass of CVE-2026-20127
Rapid7 discovered this independently. CVE-2026-20182 is a fresh hole in the same vdaemon service stack — not a patch regression or variant of the earlier advisory. Researchers have confirmed working exploit code exists.
Why NETCONF access is game over: NETCONF is not read-only telemetry. It is the full management plane. An attacker with NETCONF access can rewrite your SD-WAN routing policy to redirect traffic through attacker-controlled infrastructure, manipulate TLOCs to poison site-to-site paths, or black-hole entire segments of your fabric.
Who's Behind It: UAT-8616
Cisco Talos is tracking active exploitation under threat cluster UAT-8616. This is not opportunistic scanning. UAT-8616 operates with ORB (Operational Relay Box) network infrastructure — a technique that routes attacker traffic through a mesh of compromised residential and commercial nodes to obscure origin and complicate attribution.
Observed Intrusion Behavior
Initial access via CVE-2026-20182
Crafted DTLS packets to UDP 12346 achieve authentication bypass on the vdaemon service. No credentials. No prior access required.
SSH key injection
After gaining NETCONF access, attackers injected SSH keys to establish persistent, deniable backdoor access independent of the original exploit path.
NETCONF configuration manipulation
Overlay routing and policy configurations were altered. The specific changes observed varied by target, but the capability to rewrite the entire fabric was exercised.
Root escalation attempt via CVE-2022-20775
Attackers attempted root escalation using a known 2022 vulnerability. If your controller OS is unpatched across that window, the blast radius expands significantly.
Log clearance on the way out
Auth logs and system logs were cleared before exfiltration or before the attacker went quiet. Standard anti-forensics. If your logs look suspiciously clean, treat that as signal.
This is not script kiddie activity. Injecting SSH keys, manipulating NETCONF configs, attempting privilege escalation through a separate CVE, and clearing logs on exit is a deliberate, multi-stage intrusion playbook. UAT-8616 is sophisticated and they have working exploit code for a CVSS 10.0 hole.
What to Do Right Now
Five Steps. Do These Today.
Check your Cisco Catalyst SD-WAN Controller version
Cisco has patches for all supported releases. Go to the cisco-sa-sdwan-rpa2-v69WY2SW advisory, find your version line, and get the patched build queued now.
Run show control connections detail
Look for connections with state:up and challenge-ack: 0. That is unauthorized peering. If you see it, you are already compromised. Skip to step 4.
Check /var/log/auth.log for unexpected entries
Filter for "Accepted publickey for vmanage-admin" entries. SSH keys you did not put there are a confirmed indicator of UAT-8616 post-exploitation activity.
Open a TAC case if you suspect compromise
Severity 3. Include CVE-2026-20182 in the title. Do not wait to see if things stabilize. If logs are unexpectedly clean or there are any anomalous NETCONF changes, that is enough.
Restrict UDP port 12346 to known controller IPs at the perimeter
This does not replace the patch. But until the patch is applied, a perimeter ACL restricting vdaemon access to your known controller IPs significantly narrows the attack surface.
Commands to Run Now
Check for Unauthorized Peering
show control connections detail # Flag any connection where: # state: up # challenge-ack: 0 # These are unauthorized peers
Run on every Cisco Catalyst SD-WAN Controller in your fabric.
Check for Injected SSH Keys
grep "Accepted publickey for vmanage-admin" /var/log/auth.log # Any hit you didn't authorize # = UAT-8616 post-exploitation indicator # Open a TAC case immediately
Cross-reference timestamps against your change management records.
Perimeter Mitigation (Pre-Patch)
# Restrict vdaemon access to known controller IPs # ACL example (adjust to your platform) permit udp [known-controller-ips] any eq 12346 deny udp any any eq 12346 # This narrows surface — does NOT replace the patch
Apply at your network perimeter until the Cisco patch is deployed.
Check for Root Escalation Exposure
# UAT-8616 also uses CVE-2022-20775 # Check your controller OS patch level show version # Verify patched against 2022-20775 # in addition to 2026-20182
If unpatched against the 2022 CVE, your blast radius is significantly larger.
Why This Keeps Happening
SD-WAN was sold as the simplified, software-defined future of enterprise networking. The controller is the trust anchor. It does not just manage connectivity — it defines the routing, security policy, and path selection for every site in the fabric.
When the control plane's authentication can be bypassed with crafted UDP packets on a well-known port, every site in the fabric is a casualty waiting to happen. One controller compromise does not mean one site compromise. It means all of them. That is the threat model SD-WAN creates, and that is what CVSS 10.0 on this specific component actually means in practice.
Peering authentication on critical network infrastructure should not be a single point of failure with a CVSS ceiling.
The structural problem is the same one that surfaces in every critical infrastructure CVE cycle: the component with the highest blast radius is the one that gets the least adversarial scrutiny during the design phase, because the teams shipping it are thinking about features and scalability, not about what happens when the authentication layer is paper-thin. CVE-2026-20182 is a reminder that the management plane of your network fabric deserves the same threat modeling rigor as your application layer.
What You Need to Know
CVE-2026-20182 is a CVSS 10.0 authentication bypass in the vdaemon service on UDP port 12346. No credentials required. Working exploit code confirmed.
An attacker who successfully exploits this gets NETCONF access — the ability to rewrite your entire SD-WAN overlay configuration including routes, policies, and TLOCs.
This is NOT a variant of CVE-2026-20127. Rapid7 discovered it independently. It is a fresh hole in the same service stack.
UAT-8616 is actively exploiting this with ORB infrastructure. Observed post-exploitation includes SSH key injection, NETCONF manipulation, root escalation via CVE-2022-20775, and log clearing.
CISA Emergency Directive 26-03 sets a federal patch deadline of May 17. Non-federal orgs should treat this timeline as their own — UAT-8616 is not filtering by sector.
Run "show control connections detail" now. Flag any connection with state:up and challenge-ack:0. Check /var/log/auth.log for unauthorized vmanage-admin publickey entries.
Restrict UDP port 12346 to known controller IPs at your perimeter as an interim measure. Patch first chance you get — the ACL is a mitigant, not a fix.
Cisco advisory: cisco-sa-sdwan-rpa2-v69WY2SW. Patches available for all supported releases. Check your version line and deploy.
Scope: What Is Affected
CVE-2026-20182 affects the Cisco Catalyst SD-WAN Controller (formerly vManage). This is the centralized management and orchestration component. If you are running a Cisco Catalyst SD-WAN fabric — on-premises, IaaS-hosted, or hybrid — the controller is in scope. Cisco has confirmed patches across all currently supported software release trains. The advisory cisco-sa-sdwan-rpa2-v69WY2SW has the full version matrix.
In Scope
• Cisco Catalyst SD-WAN Controller (all supported releases)
• On-premises controller deployments
• Controller instances running in IaaS (AWS, Azure, GCP)
• Hybrid SD-WAN fabrics with on-prem controllers
How to Confirm Exposure
• Run show version on the controller
• Compare against the patched version matrix in the advisory
• Check UDP port 12346 exposure at your perimeter
• If internet-exposed: treat as compromised pending investigation
Sources
Cisco Security Advisory — cisco-sa-sdwan-rpa2-v69WY2SW
Official Cisco advisory with CVSS scoring, affected version matrix, and fixed software releases.
CISA Known Exploited Vulnerabilities Catalog
CVE-2026-20182 entry confirming active exploitation and Emergency Directive 26-03 reference.
CISA Emergency Directive 26-03
Federal binding operational directive requiring FCEB agencies to patch by May 17, 2026.
Cisco Talos Blog — UAT-8616 Threat Cluster Attribution
Talos intelligence on UAT-8616 activity, ORB infrastructure, and observed post-exploitation TTPs.
Rapid7 Vulnerability Research
Independent CVE-2026-20182 discovery and confirmation that working exploit code exists.
Patch This Before You Do Anything Else Today.
CVSS 10.0. Active exploitation. A threat cluster that clears logs on the way out. Your SD-WAN controller is the trust anchor of your entire fabric. Treat it like one.
Related Posts
Your AI Agent Has More Access Than Your Junior Devs. That Is a Security Bug.
AI agent security is no longer theoretical. Verified 2026 data shows widespread skill-level vulnerabilities, real malicious payloads, and measurable incident increases when agents are over-privileged. This guide translates the latest evidence into a least-agency security model for infrastructure teams.
47 Known CVEs Just Deployed to Production: Why Container Image Scanning Isn't Optional
A developer pulls a base image from Docker Hub, builds their app on top, and ships it. Nobody checks what's inside that base layer. 87% of container images in production carry high-severity CVEs. Here's how to shift-left on container security with scanning, digest pinning, distroless images, and approved base image registries.
TeamPCP Poisoned the Security Tools in Your CI/CD Pipeline
The March 2026 TeamPCP campaign did not just hit application dependencies. It moved through the security and developer tooling layer itself: Trivy, Checkmarx KICS, and LiteLLM release paths. This post breaks down what appears verified, what remains reported attribution, and the controls that would have cut the chain early.