Skip to content

CVE-2026-20182 Critical Authentication Bypass in Cisco Catal... #2239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+42 −0
Open

CVE-2026-20182 Critical Authentication Bypass in Cisco Catal... #2239

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions src/generic-methodologies-and-resources/pentesting-network/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -658,6 +658,46 @@ In Open Shortest Path First (OSPF) protocol **MD5 authentication is commonly emp
- **Configuring Route Parameters:** This is done through the _Injection_ tab.
- **Setting the Compromised Key:** The key is configured under the _Connection_ tab.

### Cisco SD-WAN Control-Plane Attacks

Cisco Catalyst SD-WAN controllers expose a **DTLS control-plane service on UDP/12346** (`vdaemon`). Treat it like a routing-adjacency surface, not "just another management port": if you can become an authenticated peer, you can usually pivot into the whole overlay fabric.

**Interesting protocol details:**
- `vdaemon` uses a **12-byte header** where the **high nibble** of `device_info` encodes the claimed device role (`1` vEdge, `2` vHub, `3` vSmart, `4` vBond, `5` vManage, `6` ZTP).
- The DTLS handshake itself is **not sufficient authentication**. Peer trust is finalized later during `CHALLENGE_ACK` processing.
- `CHALLENGE_ACK` (**message type `9`**) is reachable **before authentication**, because it is part of the control-plane bootstrap allowlist.

**Practical attack pattern:**
- In CVE-2026-20182, Rapid7 showed that `vbond_proc_challenge_ack()` verified some roles (`vEdge`, `vSmart`, `vManage`) but had **no verification branch for claimed role `2` / vHub**.
- Because the function later fell through to `peer->authenticated = 1`, an attacker could complete DTLS with **any certificate**, send `CHALLENGE_ACK` with the **high nibble of `device_info` set to `2`**, then send `Hello` and transition to an **UP authenticated peer**.
- This is a good pattern to hunt in other proprietary control planes: **attacker-controlled role selection + missing default-deny branch + pre-auth handshake messages**.

**Post-auth pivot worth checking:**
- Once treated as an authenticated peer, the controller accepted `MSG_VMANAGE_TO_PEER` (**message type `14`**) and appended attacker-controlled data to `/home/vmanage-admin/.ssh/authorized_keys`.
- That turns a control-plane foothold into **persistent NETCONF over SSH** access on **TCP/830** as `vmanage-admin`.
- Review similar appliances for post-auth messages that write **SSH keys, API tokens, trust bundles, or bootstrap secrets** for privileged internal service accounts.

**Exposure triage / offensive workflow:**

```bash
# Discover the control-plane and follow-on management ports
nmap -sU -p12346 <IP>
nmap -sT -p22,830 <IP>

# Rapid7 module automating the vHub auth bypass + SSH key injection
msf6 > use auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass
msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > set RHOSTS <IP>
msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > run

# If the target accepts the injected key, pivot to NETCONF over SSH
ssh -i <loot_key.pem> vmanage-admin@<IP> -p 830
```

**Detection / validation ideas:**
- Audit Internet-facing or cross-trust-boundary exposure of **UDP/12346** and **TCP/830**.
- Inspect `/home/vmanage-admin/.ssh/authorized_keys` for unexpected appended keys after control-plane events.
- After gaining NETCONF, remember that configuration and state retrieval may be available even if a normal shell is not.

### Other Generic Tools & Sources

- [**Above**](https://github.com/c4s73r/Above): Tool to scan network traffic and find vulnerabilities
Expand Down Expand Up @@ -992,6 +1032,8 @@ telecom-network-exploitation.md

## References

- [Rapid7: CVE-2026-20182 - Critical authentication bypass in Cisco Catalyst SD-WAN Controller](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/)
- [Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW)
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
- **Network Security Assessment: Know Your Network (3rd edition)**
- **Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood**
Expand Down