Cisco disclosed and patched CVE-2026-20182 on May 14, 2026 — the sixth Cisco SD-WAN vulnerability confirmed exploited this year and the second in 2026 to carry a maximum CVSS 10.0 score. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day, issuing a three-day remediation deadline to all federal civilian agencies, the shortest window the catalog permits and one reserved for vulnerabilities with confirmed, active in-the-wild exploitation.
UAT-8616 Exploits vdaemon Peering Authentication via DTLS on UDP Port 12346
CVE-2026-20182 is an authentication bypass in the vdaemon service, which manages SD-WAN peering authentication in the Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). An attacker with network access sends specially crafted DTLS packets over UDP port 12346 to bypass authentication entirely, gaining access equivalent to the internal vmanage-admin account — the platform’s highest privilege level.
No credentials and no victim interaction are required to trigger exploitation. Every deployment model is affected: on-premises installations, Cloud-Pro, Cisco-Managed Cloud, and FedRAMP-hosted environments. Cisco released patches on May 14. The advisory confirms no workaround is available, making patch deployment the only complete remediation path.
UAT-8616’s Post-Exploitation Behavior: SSH Key Injection and NETCONF Manipulation
Cisco attributed active exploitation of CVE-2026-20182 to UAT-8616, the same threat cluster previously confirmed exploiting CVE-2026-20127, an earlier CVSS 10.0 SD-WAN authentication bypass from earlier in 2026. On systems compromised through the new flaw, UAT-8616 was observed adding SSH authorized keys to maintain persistent management access, modifying NETCONF configurations, and escalating privileges to root on compromised controllers.
Persistent root-level access to SD-WAN controllers gives an attacker authority over routing decisions, traffic policy enforcement, and device orchestration across every endpoint connected to an organization’s SD-WAN fabric. The scope of what can be manipulated from a compromised controller — including rerouting of enterprise traffic, inspection of encrypted overlays, and silent policy modification — makes SD-WAN controllers a high-value post-exploitation target beyond simple credential theft.
Ten Attacker Clusters and Fifteen KEV Entries as Exploitation Broadens Beyond UAT-8616
Cisco Talos tracked 10 distinct activity clusters exploiting SD-WAN vulnerabilities across 2026. Documented payloads from these clusters span cryptocurrency miners, credential stealers, and persistent backdoors, confirming that multiple threat actors with separate objectives are treating each new SD-WAN advisory as an immediate weaponization opportunity.
CISA’s Known Exploited Vulnerabilities catalog now lists 15 Cisco SD-WAN entries in total. CVE-2026-20182 is the sixth SD-WAN flaw confirmed exploited in 2026 alone; the five others are CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2026-20127, and CVE-2022-20775. Two of the six 2026 entries reached CVSS 10.0, and the volume of attacker clusters signals that SD-WAN exploitation has moved well beyond a single sophisticated actor into broader, opportunistic targeting.
Auditing Cisco Catalyst SD-WAN Deployments for CVE-2026-20182 Compromise
Defenders running Cisco Catalyst SD-WAN should apply Cisco’s May 14 patches immediately and audit /var/log/auth.log for unexpected “Accepted publickey” entries, which may indicate SSH key injection by UAT-8616. Unexplained peer connection attempts from unrecognized IP addresses and NETCONF configuration changes made outside authorized maintenance windows are additional indicators requiring investigation.
At the network perimeter, monitoring UDP port 12346 for DTLS traffic originating from unexpected external sources can surface active exploitation attempts or early reconnaissance. For organizations that cannot immediately apply the patch, restricting DTLS connectivity to verified SD-WAN peer addresses at the perimeter provides a partial reduction in exposure but does not replace the patch.
The cadence of six exploited SD-WAN vulnerabilities in under five months — spanning two CVSS 10.0 flaws, ten identified attacker clusters, and payloads ranging from crypto mining to persistent backdoors — indicates that Cisco SD-WAN infrastructure will remain a primary target for the remainder of 2026.
