Description
This module exploits an authentication bypass vulnerability (CVE-2026-20127) in the Cisco Catalyst SD-WAN Controller (vSmart). The vdaemon DTLS control-plane service fails to properly validate the verify_status byte in CHALLENGE_ACK_ACK (msg_type=10) messages. The vbond_proc_challenge_ack_ack() handler reads an attacker-controlled verify_status byte from the message body and, if non-zero, sets the peer's authenticated flag to 1. Furthermore, the authentication gate in vbond_proc_msg() exempts msg_type=10 from authentication checks, allowing an unauthenticated peer to send this message.
An attacker can connect via DTLS 1.2 using a self-signed certificate (the server performs no certificate validation at the handshake stage), skip the CHALLENGE_ACK step, and send a forged CHALLENGE_ACK_ACK with verify_status=1 to become a trusted peer without any legitimate credentials.
This module leverages the auth bypass to inject an SSH public key into the vmanage-admin authorized_keys file via a VMANAGE_TO_PEER message, providing persistent SSH access to the controller.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/networking/cisco_sdwan_auth_bypassmsf undefined(cisco_sdwan_auth_bypass) > show actions ...actions...msf undefined(cisco_sdwan_auth_bypass) > set ACTION < action-name >msf undefined(cisco_sdwan_auth_bypass) > show options ...show and set options...msf undefined(cisco_sdwan_auth_bypass) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub