Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: Authentication Bypass in Cisco Catalyst SD-WAN Can Be Exploited to Gain Administrative
Image
Published : 18/05/2026
- Last update: 18/05/2026
- Affected software:
→ Cisco Catalyst SD-WAN Controller (formerly vSmart); all deployment types (On-Prem, Cloud-Pro, Cisco Managed Cloud, FedRAMP); releases prior to 20.9.9.1, 20.12.5.4 / 20.12.6.2 / 20.12.7.1, 20.15.4.4 / 20.15.5.2, 20.18.2.2, 26.1.1.1
→ Cisco Catalyst SD-WAN Manager (formerly vManage); all deployment types; releases prior to 20.9.9.1, 20.12.5.4 / 20.12.6.2 / 20.12.7.1, 20.15.4.4 / 20.15.5.2, 20.18.2.2, 26.1.1.1- Type:
→ CWE-287: Improper Authentication
→ CWE-611: Improper Restriction of XML External Entity Reference
→ CWE-779: Logging of Excessive Data
→ CWE-20: Improper Input Validation- CVE/CVSS
→ CVE-2026-20182: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-20224: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
→ CVE-2026-20209: CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
→ CVE-2026-20210: CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Sources
Cisco - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW#fs
Cisco - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R
Risks
Cisco Catalyst SD-WAN is a networking solution used by enterprises and organisations to manage and orchestrate wide area network connectivity across multiple sites and cloud environments. The SD-WAN Controller and Manager sit at the heart of the control plane and are responsible for orchestrating routing, policy enforcement, and configuration across the entire SD-WAN fabric.
CVE-2026-20182 is the most severe vulnerability in this advisory. It is actively exploited in the wild and Rapid7 has published a public Metasploit module demonstrating exploitation, so patching as quickly as possible is highly recommended. If exploited, an unauthenticated remote attacker can bypass authentication and gain high-privileged access to the SD-WAN control plane, enabling full manipulation of network configurations. Successful exploitation threatens the Confidentiality, Integrity, and Availability of all network infrastructure managed by the affected SD-WAN deployment.
CVE-2026-20224 allows an unauthenticated remote attacker to read arbitrary files from the affected system via an XML External Entity (XXE) injection, impacting Confidentiality.
CVE-2026-20209 and CVE-2026-20210 allow authenticated attackers with low (read-only) privileges to escalate their access to that of a high-privileged user, impacting Confidentiality and Integrity.
Description
CVE-2026-20182 is a critical authentication bypass affecting the DTLS-based control-connection handshake in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The flaw exists because, when a connecting peer declares itself to be a vHub device, the system omits device-type-specific certificate verification yet still marks the peer as authenticated. An unauthenticated remote attacker can exploit this by sending a crafted DTLS handshake sequence that bypasses authentication checks and establishes a trusted control-plane peer relationship. Once authenticated, the attacker can issue arbitrary configuration commands across the SD-WAN fabric or establish persistent administrative access.
CVE-2026-20224 is an XML External Entity (XXE) injection vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. The vulnerability is caused by improper handling of XML External Entity entries during XML parsing. An unauthenticated remote attacker can send a crafted HTTP request to exploit this flaw and read arbitrary files stored on the underlying system, without requiring valid credentials.
CVE-2026-20209 is a privilege escalation vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. The vulnerability exists because sensitive session information is recorded in audit logs. An authenticated remote attacker with read-only permissions can retrieve privileged session tokens from those logs and use them to perform actions as a high-privileged user.
CVE-2026-20210 is a privilege escalation vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. The vulnerability is caused by a failure to redact sensitive information within device configurations and templates. An authenticated remote attacker with read-only permissions can access this exposed sensitive information and use it to elevate their privileges to those of a high-privileged user.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-20182
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-20209
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-20210
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-20224