Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited)

UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24). NCSC-CH amended its Security Hub post to add the report on 2026-06-25 (NCSC-CH Security Hub post 12579).

The chain: authentication bypass via CVE-2026-20182/CVE-2026-20127 (rogue peering connection), then privilege escalation via CVE-2026-20245 — a malicious evil_tenant.csv uploaded through the request tenant-upload CLI carries unsanitised shell commands that append a troot root user to /etc/passwd and /etc/shadow, after which the actor reverts configuration changes and deletes the file for anti-forensics. This gives defenders concrete hunts the earlier advisory could not: search SD-WAN Manager instances for unexpected /etc/passwd additions, evil_tenant.csv artefacts, and request tenant-upload execution in CLI logs.

If you did nothing this week: attackers with netadmin access to your Catalyst SD-WAN Manager can execute arbitrary commands as root and, per NCSC-CH's 5 June advisory update, push malicious configurations to every downstream edge device. No patch exists.

CVE-2026-20245 is a command injection in SD-WAN Manager's CLI file-upload handler (Cisco PSIRT; daily 2026-06-06). An authenticated attacker with netadmin privileges injects arbitrary OS commands that execute as root (T1059.004). In observed limited incidents, exploitation of CVE-2026-20245 resulted in malicious configurations pushed to downstream edge devices — extending attacker control from the management plane into the forwarding plane (NCSC-CH advisory 12579, updated 2026-06-05). The realistic attack path is a three-CVE chain: CVE-2026-20182 provides unauthenticated management-interface access (T1190), CVE-2026-20127 escalates to netadmin (T1078), and CVE-2026-20245 executes OS commands as root. The first two CVEs are patched in post-14-May SD-WAN Manager builds; CVE-2026-20245 has no fix — Cisco's only guidance is management-plane access restriction.

The forwarding-plane impact is the operationally critical new fact from this week: in transit-mode SD-WAN deployments, attacker-controlled edge-device configurations can cascade into routing-table manipulation, traffic interception, and service disruption across every site managed from the compromised Manager instance. Defender actions: apply the post-14-May SD-WAN Manager builds (patches chain entry points CVE-2026-20182/20127); ACL the management interface to a dedicated management VLAN; enforce MFA for netadmin and rotate Manager credentials; hunt the CLI audit log for anomalous file-upload events; and treat any unscheduled edge-device config-push as a hunting trigger.

If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass in the NETCONF gateway. The published kill chain is HTTP-header injection → authentication bypass → vManage administrative API → orchestrator-level configuration push → arbitrary device-config rewrite across every fabric member. Patches are available (vManage 20.13.4 / 20.12.6 / 20.9.7 / earlier branches per Cisco PSIRT); CISA issued Emergency Directive ED-26-03 on 2026-05-15 mandating identification, mitigation, and reporting for US federal civilian agencies with a 2026-05-17 (today) deadline (Cisco PSIRT; CISA ED-26-03; daily 2026-05-15).

What makes the SD-WAN picture operationally critical for Swiss / EU defenders even after the patches land is the approximately 10 additional intrusion clusters Talos and CISA jointly identified exploiting February-2026 Catalyst SD-WAN companion CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 — patched in Q1 2026 but with public-PoC availability that drove a wave of secondary exploitation against organisations that lagged the original patch). The 10-cluster figure indicates the SD-WAN attack surface is being mined systematically by multiple unrelated operators, not just UAT-8616, so the hunt is not bounded to a single named cluster's TTPs: review vmanage_event and NETCONF-gateway logs for any 401/403→200 transitions on /dataservice/* endpoints from external source IPs across the entire Q1-2026 → present window, and assume any unpatched device has been visited.

CVE-2026-20182 (CVSS 10.0, CWE-287) is a complete authentication bypass in the vdaemon service's DTLS control-plane peering on UDP/12346 (Cisco PSIRT cisco-sa-sdwan-rpa2-v69WY2SW, 2026-05-14 · Rapid7, 2026-05-14). The vbond_proc_challenge_ack() function processes CHALLENGE_ACK messages without checking the claimed device type: a connecting device claiming type 2 (vHub) using a self-signed certificate is unconditionally marked as authenticated. The attacker then sends MSG_VMANAGE_TO_PEER (message type 14) to inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys, achieving persistent SSH access to the SD-WAN Manager on NETCONF port TCP/830. From there, the attacker has full control of SD-WAN fabric configuration, routing policy, and can read or modify all managed-site configurations. Added to CISA KEV on 2026-05-14 with active exploitation confirmed. No workaround exists; network segmentation of the UDP/12346 interface is the only partial mitigation where upgrading is not immediately possible. Fixed: 20.9.9.1, 20.12.5.4/6.2/7.1, 20.15.4.4/5.2, 20.18.2.2, 26.1.1.1.