Description
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. 

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Published: 2026-05-14
Score: 10 Critical
EPSS: 87.7% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the peering authentication of Cisco Catalyst SD‑WAN Controller (vSmart), Manager (vManage) and Validator (vBond) allows an unauthenticated, remote attacker to bypass the expected authentication process. The attacker can send specially crafted requests during the control‑connection handshake, causing the affected system to accept the connection and grant a non‑root internal user with administrative privileges. With that session the attacker can use NETCONF to alter SD‑WAN fabric configuration, effectively taking full control over the network without valid credentials.

Affected Systems

The vulnerability affects Cisco Catalyst SD‑WAN Controller (vSmart) and Cisco Catalyst SD‑WAN Manager (vManage) running firmware or software version 20.12.7. The Advisory does not specify a version for Cisco Catalyst SD‑WAN Validator (vBond), but the peering authentication flaw is present in that component as well. Any deployment of the affected Controller or Manager with version 20.12.7 remains vulnerable until the patched firmware is installed; the Validator remains vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is 10, indicating critical severity. The EPSS score of 88% points to a high likelihood of exploitation in the wild. The vulnerability is listed in the CISA KEV catalog, confirming active exploitation. An attacker can exploit it simply by sending crafted requests over the network; no prior authentication or auxiliary privileges are required.

Generated by OpenCVE AI on June 24, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco Catalyst SD‑WAN Controller firmware update that addresses the peering‑authentication issue
  • Apply the latest Cisco Catalyst SD‑WAN Manager firmware update that addresses the peering‑authentication issue
  • Review the Cisco Advisory to determine if a patch for Cisco Catalyst SD‑WAN Validator is available and apply it when possible
  • Re‑configure peering authentication following Cisco’s official guidance and validate that all control connections enforce proper authentication
  • Enable detailed logging of control‑connection attempts and regularly review logs for unauthorized access patterns

Generated by OpenCVE AI on June 24, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Fri, 15 May 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco sd-wan Vsmart Controller
CPEs cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.7:*:*:*:*:*:*:*
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.7:*:*:*:*:*:*:*
Vendors & Products Cisco sd-wan Vsmart Controller

Fri, 15 May 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco catalyst Sd-wan Manager
Vendors & Products Cisco
Cisco catalyst Sd-wan Manager

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 14 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-14T00:00:00+00:00', 'dueDate': '2026-05-17T00:00:00+00:00'}

Thu, 14 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Title Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Cisco Catalyst Sd-wan Manager Sd-wan Vsmart Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-16T17:57:59.048Z

Reserved: 2025-10-08T11:59:15.393Z

Link: CVE-2026-20182

cve-icon Vulnrichment

Updated: 2026-05-14T17:41:18.017Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T17:16:19.387

Modified: 2026-06-17T15:06:02.767

Link: CVE-2026-20182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses