Description
This module exploits an authentication bypass vulnerability (CVE-2026-20182) in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane service performs no certificate or credential verification for connecting peers that claim to be a vHub (device type 2). The vbond_proc_challenge_ack() function implements device-type-specific verification through a series of conditional blocks, but contains no code path for device type 2 (vHub). After a DTLS handshake using any self-signed certificate, an attacker sends a CHALLENGE_ACK (msg_type=9) with the vHub device type encoded in the protocol header. The function falls through all verification checks and unconditionally sets peer->authenticated = 1.
This module leverages the authentication bypass to inject an attacker-controlled SSH public key into the vmanage-admin user's authorized_keys file via a VMANAGE_TO_PEER message (msg_type=14), providing persistent SSH access to the controller over the NETCONF service (TCP port 830).
Affected versions: Cisco Catalyst SD-WAN Controller 20.12.6.1 and earlier. Consult Cisco's security advisory for a complete list of affected versions and patches.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypassmsf undefined(cisco_sdwan_vhub_auth_bypass) > show actions ...actions...msf undefined(cisco_sdwan_vhub_auth_bypass) > set ACTION < action-name >msf undefined(cisco_sdwan_vhub_auth_bypass) > show options ...show and set options...msf undefined(cisco_sdwan_vhub_auth_bypass) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub