module
Cisco Catalyst SD-WAN Controller vHub Authentication Bypass
| Disclosed | Created |
|---|---|
| May 7, 2026 | May 15, 2026 |
Disclosed
May 7, 2026
Created
May 15, 2026
Description
This module exploits an authentication bypass vulnerability (CVE-2026-20182)
in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane
service performs no certificate or credential verification for connecting peers
that claim to be a vHub (device type 2). The vbond_proc_challenge_ack() function
implements device-type-specific verification through a series of conditional
blocks, but contains no code path for device type 2 (vHub). After a DTLS
handshake using any self-signed certificate, an attacker sends a CHALLENGE_ACK
(msg_type=9) with the vHub device type encoded in the protocol header. The
function falls through all verification checks and unconditionally sets
peer->authenticated = 1.
This module leverages the authentication bypass to inject an attacker-controlled
SSH public key into the vmanage-admin user's authorized_keys file via a
VMANAGE_TO_PEER message (msg_type=14), providing persistent SSH access to the
controller over the NETCONF service (TCP port 830).
Affected versions: Cisco Catalyst SD-WAN Controller 20.12.6.1 and earlier.
Consult Cisco's security advisory for a complete list of affected versions
and patches.
in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane
service performs no certificate or credential verification for connecting peers
that claim to be a vHub (device type 2). The vbond_proc_challenge_ack() function
implements device-type-specific verification through a series of conditional
blocks, but contains no code path for device type 2 (vHub). After a DTLS
handshake using any self-signed certificate, an attacker sends a CHALLENGE_ACK
(msg_type=9) with the vHub device type encoded in the protocol header. The
function falls through all verification checks and unconditionally sets
peer->authenticated = 1.
This module leverages the authentication bypass to inject an attacker-controlled
SSH public key into the vmanage-admin user's authorized_keys file via a
VMANAGE_TO_PEER message (msg_type=14), providing persistent SSH access to the
controller over the NETCONF service (TCP port 830).
Affected versions: Cisco Catalyst SD-WAN Controller 20.12.6.1 and earlier.
Consult Cisco's security advisory for a complete list of affected versions
and patches.
Authors
sfewer-r7
Crypto-Cat
Crypto-Cat
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.