CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover

CVE-2026-20182 (CVSS 10.0, CWE-287) is a complete authentication bypass in the vdaemon service's DTLS control-plane peering on UDP/12346 (Cisco PSIRT cisco-sa-sdwan-rpa2-v69WY2SW, 2026-05-14 · Rapid7, 2026-05-14). The vbond_proc_challenge_ack() function processes CHALLENGE_ACK messages without checking the claimed device type: a connecting device claiming type 2 (vHub) using a self-signed certificate is unconditionally marked as authenticated. The attacker then sends MSG_VMANAGE_TO_PEER (message type 14) to inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys, achieving persistent SSH access to the SD-WAN Manager on NETCONF port TCP/830. From there, the attacker has full control of SD-WAN fabric configuration, routing policy, and can read or modify all managed-site configurations. Added to CISA KEV on 2026-05-14 with active exploitation confirmed. No workaround exists; network segmentation of the UDP/12346 interface is the only partial mitigation where upgrading is not immediately possible. Fixed: 20.9.9.1, 20.12.5.4/6.2/7.1, 20.15.4.4/5.2, 20.18.2.2, 26.1.1.1.