Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco Catalyst SD-WAN Controller Authentication Bypass (cisco-sa-sdwan-rpa2-v69WY2SW)

🗓️ 15 May 2026 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 24 Views

Unauthenticated remote attacker can bypass peering authentication and gain admin access on Cisco Catalyst SD-WAN Controller and Manager, enabling NETCONF config manipulation.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Improper Authentication in Cisco Catalyst_Sd-Wan_Manager
15 May 202614:07
githubexploit
GithubExploit		Exploit for Improper Authentication in Cisco Catalyst_Sd-Wan_Manager
22 May 202621:17
githubexploit
GithubExploit		Exploit for Improper Authentication in Cisco Catalyst_Sd-Wan_Manager
26 May 202618:10
githubexploit
ATTACKERKB		CVE-2026-20182
14 May 202616:08
attackerkb
Circl		CVE-2026-20182
14 May 202611:33
circl
CISA KEV Catalog		Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
14 May 202600:00
cisa_kev
CISA		 CISA Adds One Known Exploited Vulnerability to Catalog
14 May 202612:00
cisa
CISA		 CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems
14 May 202612:00
cisa
Cisco		Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
14 May 202616:00
cisco
CNNVD		Cisco Catalyst SD-WAN Manager和Cisco Catalyst SD-WAN Controller 授权问题漏洞
14 May 202600:00
cnnvd
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(314960);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/28");

  script_cve_id("CVE-2026-20182");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwt50498");
  script_xref(name:"CISCO-SA", value:"cisco-sa-sdwan-rpa2-v69WY2SW");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2026/05/17");
  script_xref(name:"IAVA", value:"2026-A-0484");

  script_name(english:"Cisco Catalyst SD-WAN Controller Authentication Bypass (cisco-sa-sdwan-rpa2-v69WY2SW)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability.

  - A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart,
    and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote
    attacker to bypass authentication and obtain administrative privileges on an affected system.
    (CVE-2026-20182)

  - May 2026: This security advisory provides the details and fix information for a vulnerability that was
    discovered and fixed after the was disclosed in February 2026. This new advisory is for a new
    vulnerability in the control connection handshaking. The section of this advisory includes Show Control
    Connections guidance to help with system checks. A vulnerability in the peering authentication in
    Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-
    WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain
    administrative privileges on an affected system. This vulnerability exists because the peering
    authentication mechanism in an affected system is not working properly. An attacker could exploit this
    vulnerability by sending crafted requests to the affected system. A successful exploit could allow the
    attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-
    root user account. Using this account, the attacker could access NETCONF, which would then allow the
    attacker to manipulate network configuration for the SD-WAN fabric. (CVE-2026-20182)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8930e245");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwt50498");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwt50498");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-20182");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(287);

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:sd-wan_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_vedge_detect.nbin");
  script_require_keys("Cisco/Viptela/Version");

  exit(0);
}

include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco Viptela');


var vuln_ranges = [
  { 'min_ver' : '0.0', 'fix_ver' : '20.9.9.1' },
  { 'min_ver' : '20.10', 'fix_ver' : '20.12.7.1' },
  { 'min_ver' : '20.11', 'fix_ver' : '20.12.7.1' },
  { 'min_ver' : '20.12', 'fix_ver' : '20.12.7.1' },
  { 'min_ver' : '20.13', 'fix_ver' : '20.15.5.2' },
  { 'min_ver' : '20.14', 'fix_ver' : '20.15.5.2' },
  { 'min_ver' : '20.15', 'fix_ver' : '20.15.5.2' },
  { 'min_ver' : '20.16', 'fix_ver' : '20.18.2.2' },
  { 'min_ver' : '20.18', 'fix_ver' : '20.18.2.2' },
  { 'min_ver' : '26.1', 'fix_ver' : '26.1.1.1' }
];

 
var reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'bug_id'   , 'CSCwt50498',
  'version'  , product_info['version'],
  'disable_caveat', TRUE
);

cisco::check_and_report(
  product_info:product_info,
  vuln_ranges:vuln_ranges,
  reporting:reporting
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 May 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.110
EPSS0.83838
SSVC
Cisco CatalystWide Area NetworkAuthentication BypassViptela SoftwareAdministrative Privileges
24