CVE-2026-20182 Critical Authentication Bypass in Cisco Catal...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed
• Blog Title: CVE-2026-20182: Critical Authentication Bypass in Cisco Catalyst SD-WAN Controller
• Suggested Section: Network Services Pentesting -> Cisco SD-WAN / vdaemon UDP/12346, or Pentesting Network -> Cisco SD-WAN Control Plane Attacks

🎯 Content Summary

Overview and impact

CVE-2026-20182 is a critical authentication bypass in Cisco Catalyst SD-WAN Controller, formerly vSmart. The issue affects the vdaemon DTLS control-plane service exposed on UDP port 12346. It was discovered while Rapid7 was researching CVE-2026-20127, another critical vulnerability in the same service, but CVE-2026-20182 is not a patch bypass; it is a distinct bug in a similar part of the vdaemon networking stack...

🔧 Technical Details

Attacker-controlled role selection can bypass authentication when a state machine lacks a default-deny path. In this case, the protocol chooses verification logic based on a claimed device_type value encoded in the high nibble of the device_info header byte. Types 1, 3, and 5 receive hardware-certificate or certificate-chain verification, but type 2 / vHub has no verification branch. Because the function later unconditionally executes *(_BYTE *)(a2 + 70) = 1, equivalent to peer->authenticated = true, an attacker can select the unhandled type and fall through to authenticated state. The general lesson is that authentication logic driven by attacker-controlled roles, device classes, tenant types, or protocol modes must use explicit allow/deny behavior and must not grant success after unhandled cases.

Pre-authentication allowlists are exploitable whe...

🤖 Agent Actions

Done.

Updated:

• src/generic-methodologies-and-resources/pentesting-network/README.md

What I added:

• A new Cisco SD-WAN Control-Plane Attacks section
• The reusable technique behind the bug:
  • attacker-controlled device_info role selection
  • missing default-deny verification path for vHub / type 2
  • pre-auth CHALLENGE_ACK reachability
  • post-auth pivot to SSH key injection and NETCONF over SSH on TCP/830
• A concise offensive workflow with nmap, Metasploit, and SSH
• Technical detection/validation notes
• References to:
  • Rapid7 blog
  • Cisco advisory

Validation:

• Reviewed the inserted section and final references block
• Ran git diff --check successfully
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> Cisco SD-WAN / vdaemon UDP/12346, or Pentesting Network -> Cisco SD-WAN Control Plane Attacks".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0