HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
critical Threat analysis

Cisco Catalyst SD-WAN CVE-2026-20182: KEV Control-Plane Exposure

CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco lists fixed releases across 20.9, 20.12, 20.15, 20.18, and 26.1 trains; CISA ED 26-03 provides concrete artifact selectors for rogue peering, root SSH, downgrades, and log clearing.

Published
Read time
6 min read
Sources
5
#cisco#sdwan#cisa-kev#zero-day#vulnerability-response
On this page 0% read

    Executive Summary

    CISA added CVE-2026-20182 to KEV on 2026-05-14 with due date 2026-05-17 CISA KEV. Cisco describes an authentication bypass affecting Catalyst SD-WAN Controller and Catalyst SD-WAN Manager that can allow unauthenticated remote administrative access Cisco.

    This article uses Cisco’s fixed-release table and CISA ED 26-03 supplemental artifact selectors for version closure and compromise hunting Cisco, CISA Supplemental Direction.

    Key Facts

    cve: "CVE-2026-20182"
vendor: "Cisco"
product: "Catalyst SD-WAN Controller and Catalyst SD-WAN Manager"
kev_added: "2026-05-14"
kev_due: "2026-05-17"
vulnerability: "Authentication bypass to administrative privileges"
cwe: ["CWE-287"]
cvss_v31: "10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
vulnerable_product_scope: "Controller and Manager across on-prem, Cloud-Pro, Cisco-managed cloud, and FedRAMP deployments"
first_fixed_releases:
  "20.9": "20.9.9.1"
  "20.10": "20.12.7.1"
  "20.11": "20.12.7.1"
  "20.12": ["20.12.5.4", "20.12.6.2", "20.12.7.1"]
  "20.13": "20.15.5.2"
  "20.14": "20.15.5.2"
  "20.15": ["20.15.4.4", "20.15.5.2"]
  "20.16": "20.18.2.2"
  "20.18": "20.18.2.2"
  "26.1": "26.1.1.1"
  "cloud_managed": "20.15.506"
exploitation_status: "cisa_emergency_directive_and_kev"

    Source Confidence & Evidence Mapping

    • confirmed: CISA KEV lists CVE-2026-20182 as known exploited CISA KEV.
    • confirmed: Cisco lists Catalyst SD-WAN Controller and Manager as vulnerable and provides fixed releases Cisco.
    • confirmed: CISA ED 26-03 and supplemental guidance provide concrete hunt artifacts and selectors for Cisco SD-WAN systems CISA ED 26-03, CISA Supplemental Direction.
    • confirmed: NVD lists CWE-287 and CVSS 10.0 for CVE-2026-20182 NVD.

    Impact Determination

    ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
    Confirmed compromiseExported Cisco SD-WAN artifacts show rogue peering, root SSH, downgrade/reversion, anomalous users, or log clearing on a vulnerable deployment.Fixed-release comparison plus artifact lines from CISA selectors.Preserve vManage/vSmart/vBond artifacts and deploy fresh patched OVA/QCOW2 images when root compromise is identified per CISA guidance.Fixed release is verified and artifact hunt has no unresolved root, rogue peer, downgrade, or log-clearing evidence.
    Presumed exposedCatalyst SD-WAN Controller or Manager runs below Cisco’s first fixed release for its train.Product export, scanner row, or admin UI export with exact release.Keep the control plane in scope until fixed-release proof exists.Version verifier returns a fixed release for the train.
    Potentially exposedCatalyst SD-WAN appears in inventory but release, deployment type, or artifact export is missing.CMDB, scanner, device export, or service evidence.Collect release and artifact bundle evidence.Asset resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
    Not exposedNo Controller/Manager asset exists, or release is at a Cisco fixed release.Negative inventory or fixed-release output.None for this CVE.Evidence is attached to the control-plane asset record.
    UnknownRelease or device artifacts are unavailable.Gap statement naming unavailable assets or exports.Keep SD-WAN management/control-plane assets in scope.Evidence is recovered or the risk owner accepts the named gap.

    Timeline

    • 2026-05-14: Cisco publishes the Catalyst SD-WAN advisory for CVE-2026-20182 Cisco.
    • 2026-05-14: CISA adds CVE-2026-20182 to KEV with due date 2026-05-17 CISA KEV.
    • 2026-05-14: NVD publication timestamp for CVE-2026-20182 NVD.

    What Happened

    Cisco’s advisory scopes the vulnerable products to Catalyst SD-WAN Controller and Manager. CISA’s supplemental direction provides host artifact selectors that are directly usable for triage: downgrade/reversion events, rogue peering, SSH abuse, root login, anomalous users, and log clearing.

    Technical Analysis

    The critical risk is administrative access to the SD-WAN management or control plane. CISA’s guidance names artifacts under /var/volatile/log, /var/log/tmplog, /home/*/.ssh, /etc/ssh/sshd_config, /var/log/wtmp, /var/log/btmp, and /etc/passwd. The scripts below operate on exported artifacts and release inventory to avoid requiring live device credentials.

    Affected Assets and Blast Radius

    asset_selectors:
  - "Cisco Catalyst SD-WAN Controller"
  - "Cisco Catalyst SD-WAN Manager"
  - "vManage"
  - "CVE-2026-20182"
control_plane_artifacts:
  - "/var/volatile/log/vdebug"
  - "/var/log/tmplog/vdebug"
  - "/var/volatile/log/sw_script_synccdb.log"
  - "/home/vmanage-admin/.ssh/authorized_keys"
  - "/home/root/.ssh/authorized_keys"
  - "/etc/ssh/sshd_config"
  - "/var/log/wtmp"
  - "/var/log/btmp"
  - "/etc/passwd"
highest_value_audit_targets:
  - "root SSH access"
  - "authorized_keys changes"
  - "rogue control-plane peering"
  - "version downgrade and application reversion"
  - "zero-byte wtmp, lastlog, or bash history"

    Indicators And Detection Selectors

    cves: ["CVE-2026-20182"]
fixed_releases: ["20.9.9.1", "20.12.5.4", "20.12.6.2", "20.12.7.1", "20.15.4.4", "20.15.5.2", "20.18.2.2", "26.1.1.1", "20.15.506"]
cisa_artifact_selectors:
  - "master install"
  - "system-reboot-issued"
  - "Starting upgrade confirmation timer"
  - "Waiting for upgrade confirmation from user"
  - "Software upgrade not confirmed"
  - "control-connection-state-change"
  - "peer-type:'vhub'"
  - "remote-color"
  - "Accepted publickey for root"
  - "PermitRootLogin yes"
  - "/usr/sbin/useradd cfgmgr_config_aaa_user"
  - "cat /dev/null > wtmp"
  - "cat /dev/null > lastlog"

    Detection and Hunting

    #!/usr/bin/env bash
set -euo pipefail

ARTIFACT_ROOT="${ARTIFACT_ROOT:-${1:-sdwan-artifacts}}"
OUT="${OUT:-hp-cisco-sdwan-cve-2026-20182-hunt}"
mkdir -p "$OUT"

FILES=(
  "var/volatile/log/vdebug"
  "var/log/tmplog/vdebug"
  "var/volatile/log/sw_script_synccdb.log"
  "var/log/tmplog/vdebug.5"
  "var/volatile/log/vconfd.10"
  "home/vmanage-admin/.ssh/authorized_keys"
  "home/root/.ssh/authorized_keys"
  "etc/ssh/sshd_config"
  "var/run/utmp"
  "var/log/wtmp"
  "var/log/btmp"
  "etc/passwd"
)

PATTERNS=(
  "CVE-2026-20182"
  "master install"
  "system-reboot-issued"
  "Starting upgrade confirmation timer"
  "Waiting for upgrade confirmation from user"
  "Software upgrade not confirmed"
  "control-connection-state-change"
  "peer-type:'vhub'"
  "remote-color"
  "Accepted publickey for root"
  "PermitRootLogin yes"
  "/usr/sbin/useradd cfgmgr_config_aaa_user"
  "system-login-change"
  "system-logout-change"
  "cat /dev/null > wtmp"
  "cat /dev/null > lastlog"
)

: > "$OUT/missing-artifacts.txt"
: > "$OUT/cisa-selector-matches.txt"
: > "$OUT/file-sizes.txt"

for rel in "${FILES[@]}"; do
  path="$ARTIFACT_ROOT/$rel"
  if [[ -e "$path" ]]; then
    stat --printf '%n\t%s\t%y\n' "$path" >> "$OUT/file-sizes.txt" || true
  else
    printf '%s\n' "$rel" >> "$OUT/missing-artifacts.txt"
  fi
done

for pattern in "${PATTERNS[@]}"; do
  while IFS= read -r -d '' file; do
    grep -HnF "$pattern" "$file" >> "$OUT/cisa-selector-matches.txt" || true
  done < <(find "$ARTIFACT_ROOT" -type f -print0)
done

if [[ -f "$ARTIFACT_ROOT/etc/passwd" ]]; then
  awk -F: '$1=="root"{print "root_passwd_field=" $2}' "$ARTIFACT_ROOT/etc/passwd" > "$OUT/root-passwd-field.txt"
fi
if [[ -f "$ARTIFACT_ROOT/etc/ssh/sshd_config" ]]; then
  grep -HnE '^[[:space:]]*PermitRootLogin[[:space:]]+yes' "$ARTIFACT_ROOT/etc/ssh/sshd_config" > "$OUT/permit-root-login-yes.txt" || true
fi
find "$ARTIFACT_ROOT" -path '*/.bash_history' -type f -printf '%p\t%s bytes\t%TY-%Tm-%Td %TH:%TM:%TS\n' \
  | awk -F'\t' '$2 ~ /^(0|1|2) bytes$/' > "$OUT/small-bash-history-files.txt" || true

# Positive signal: root SSH, rogue peering, downgrade/reversion, unexpected user creation, or log clearing in exported Catalyst SD-WAN Controller/Manager artifacts.
printf 'wrote %s\n' "$OUT"

    Patch, Mitigation, and Verification

    #!/usr/bin/env python3
import csv
import json
import os
import re
import sys
from pathlib import Path

ASSET_EXPORT = Path(os.environ.get("ASSET_EXPORT", sys.argv[1] if len(sys.argv) > 1 else "sdwan-assets.csv")).resolve()
OUT = Path(os.environ.get("OUT", "hp-cisco-sdwan-cve-2026-20182-closure")).resolve()
CVE = "CVE-2026-20182"
FIXED = ["20.9.9.1", "20.12.5.4", "20.12.6.2", "20.12.7.1", "20.15.4.4", "20.15.5.2", "20.18.2.2", "26.1.1.1", "20.15.506"]
SOURCE = "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW"

def vt(value):
    return tuple(int(x) for x in re.findall(r"\d+", str(value))[:5])

def ge(left, right):
    l, r = vt(left), vt(right)
    width = max(len(l), len(r), 1)
    return l + (0,) * (width - len(l)) >= r + (0,) * (width - len(r))

def row_iter(path):
    if not path.exists():
        raise SystemExit(f"ASSET_EXPORT not found: {path}")
    if path.suffix.lower() == ".csv":
        with path.open(newline="", encoding="utf-8", errors="ignore") as handle:
            yield from csv.DictReader(handle)
    else:
        data = json.loads(path.read_text(encoding="utf-8", errors="ignore"))
        if isinstance(data, list):
            yield from data
        else:
            for key in ("assets", "devices", "controllers", "managers", "rows"):
                if isinstance(data.get(key), list):
                    yield from data[key]

def closest_fixed(version):
    candidates = [f for f in FIXED if vt(f)[:2] == vt(version)[:2] or vt(f)[0] == vt(version)[0]]
    return candidates[0] if candidates else ""

OUT.mkdir(parents=True, exist_ok=True)
results = []
for idx, row in enumerate(row_iter(ASSET_EXPORT), start=1):
    text = json.dumps(row, sort_keys=True)
    if "Catalyst SD-WAN" not in text and "vManage" not in text and CVE not in text:
        continue
    match = re.search(r"(?<!\d)(20\.\d+\.\d+(?:\.\d+)?|26\.1\.\d+\.\d+)(?!\d)", text)
    version = match.group(1) if match else ""
    fixed_target = closest_fixed(version) if version else ""
    fixed = bool(version and fixed_target and ge(version, fixed_target))
    results.append({"row": idx, "cve": CVE, "source": SOURCE, "detected_release": version, "target_fixed_release": fixed_target, "fixed_release_proven": fixed, "row_data": row})

(OUT / "cisco-sdwan-cve-2026-20182-release-verification.json").write_text(json.dumps(results, indent=2, sort_keys=True), encoding="utf-8")

# Remediation trigger: fixed_release_proven false for any Catalyst SD-WAN Controller or Manager keeps CVE-2026-20182 open.
print(json.dumps({"out": str(OUT), "checked": len(results), "not_closed": [r for r in results if not r["fixed_release_proven"]]}, indent=2))

    Downstream Abuse Audits

    #!/usr/bin/env bash
set -euo pipefail

ARTIFACT_ROOT="${ARTIFACT_ROOT:-${1:-sdwan-artifacts}}"
OUT="${OUT:-hp-cisco-sdwan-cve-2026-20182-downstream}"
mkdir -p "$OUT"

grep -RInF "Accepted publickey for root" "$ARTIFACT_ROOT" > "$OUT/root-ssh-accepted.txt" || true
grep -RInF "PermitRootLogin yes" "$ARTIFACT_ROOT" > "$OUT/permit-root-login-yes.txt" || true
grep -RInF "control-connection-state-change" "$ARTIFACT_ROOT" > "$OUT/control-connection-state-change.txt" || true
grep -RInF "peer-type:'vhub'" "$ARTIFACT_ROOT" > "$OUT/peer-type-vhub.txt" || true
grep -RInF "remote-color" "$ARTIFACT_ROOT" > "$OUT/remote-color.txt" || true
grep -RInF "/usr/sbin/useradd cfgmgr_config_aaa_user" "$ARTIFACT_ROOT" > "$OUT/cfgmgr-useradd.txt" || true
grep -RInF "cat /dev/null > wtmp" "$ARTIFACT_ROOT" > "$OUT/wtmp-clearing.txt" || true
grep -RInF "cat /dev/null > lastlog" "$ARTIFACT_ROOT" > "$OUT/lastlog-clearing.txt" || true

find "$ARTIFACT_ROOT" -path '*/authorized_keys' -type f -printf '%p\t%s bytes\t%TY-%Tm-%Td %TH:%TM:%TS\n' > "$OUT/authorized-keys-inventory.txt" || true
find "$ARTIFACT_ROOT" \( -name wtmp -o -name btmp -o -name lastlog \) -type f -printf '%p\t%s bytes\t%TY-%Tm-%Td %TH:%TM:%TS\n' > "$OUT/login-log-file-sizes.txt" || true

# Positive signal: root SSH, rogue peering, unauthorized authorized_keys changes, unexpected user creation, or login-log clearing.
# Remediation trigger: root account compromise or unauthorized control-plane peer requires fresh patched OVA/QCOW2 deployment and migration per CISA ED 26-03 guidance.
printf 'wrote %s for CVE-2026-20182\n' "$OUT"

    Sources

    1. CISA Known Exploited Vulnerabilities catalog JSON
    2. Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
    3. CISA ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems
    4. CISA Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems
    5. NVD CVE-2026-20182