module
Cisco Catalyst SD-WAN Controller Authentication Bypass
| Disclosed | Created |
|---|---|
| Feb 25, 2026 | Apr 2, 2026 |
Disclosed
Feb 25, 2026
Created
Apr 2, 2026
Description
This module exploits an authentication bypass vulnerability (CVE-2026-20127)
in the Cisco Catalyst SD-WAN Controller (vSmart). The vdaemon DTLS control-plane
service fails to properly validate the verify_status byte in CHALLENGE_ACK_ACK
(msg_type=10) messages. The vbond_proc_challenge_ack_ack() handler reads an
attacker-controlled verify_status byte from the message body and, if non-zero,
sets the peer's authenticated flag to 1. Furthermore, the authentication gate in
vbond_proc_msg() exempts msg_type=10 from authentication checks, allowing an
unauthenticated peer to send this message.
An attacker can connect via DTLS 1.2 using a self-signed certificate (the server
performs no certificate validation at the handshake stage), skip the CHALLENGE_ACK
step, and send a forged CHALLENGE_ACK_ACK with verify_status=1 to become a trusted
peer without any legitimate credentials.
This module leverages the auth bypass to inject an SSH public key into the
vmanage-admin authorized_keys file via a VMANAGE_TO_PEER message, providing
persistent SSH access to the controller.
in the Cisco Catalyst SD-WAN Controller (vSmart). The vdaemon DTLS control-plane
service fails to properly validate the verify_status byte in CHALLENGE_ACK_ACK
(msg_type=10) messages. The vbond_proc_challenge_ack_ack() handler reads an
attacker-controlled verify_status byte from the message body and, if non-zero,
sets the peer's authenticated flag to 1. Furthermore, the authentication gate in
vbond_proc_msg() exempts msg_type=10 from authentication checks, allowing an
unauthenticated peer to send this message.
An attacker can connect via DTLS 1.2 using a self-signed certificate (the server
performs no certificate validation at the handshake stage), skip the CHALLENGE_ACK
step, and send a forged CHALLENGE_ACK_ACK with verify_status=1 to become a trusted
peer without any legitimate credentials.
This module leverages the auth bypass to inject an SSH public key into the
vmanage-admin authorized_keys file via a VMANAGE_TO_PEER message, providing
persistent SSH access to the controller.
Author
sfewer-r7
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.