Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Act NowCVSS 10cisco-sa-sdwan-rpa2-v69WY2SWMay 14, 2026
Cisco
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager allows an unauthenticated remote attacker to bypass authentication and obtain high-privileged administrative access. An attacker can exploit this by sending crafted requests to an affected system and then access NETCONF to manipulate SD-WAN fabric network configuration. Cisco has released software updates to address this vulnerability. There are no workarounds available.
What this means
What could happen
An attacker can bypass authentication and gain high-privileged admin access to your SD-WAN Controller or Manager without valid credentials, then use NETCONF to change network configuration across your entire SD-WAN fabric. This could redirect traffic, isolate sites, or disable WAN links.
Who's at risk
This affects any organization running Cisco Catalyst SD-WAN (formerly vSmart Controller or vManage) to manage WAN connections across multiple branch offices or data centers. Any SD-WAN fabric using Cisco controllers is at risk of configuration tampering and traffic manipulation.
How it could be exploited
An attacker sends crafted peering authentication requests to the SD-WAN Controller or Manager from the network. The authentication mechanism does not properly validate the request, allowing the attacker to gain unauthorized access as a high-privileged internal account. Once authenticated, the attacker can access NETCONF and modify SD-WAN fabric configuration.
Prerequisites
- Network access to the SD-WAN Controller or Manager (typically port 443 or DTLS port range)
- No authentication credentials required
Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)Affects network control planeCan lead to widespread fabric reconfiguration
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Catalyst SD-WAN ControllerAll versionsFix available
Catalyst SD-WAN ManagerAll versionsFix available
Remediation & Mitigation
0/4
Do now
0/4Catalyst SD-WAN Controller
HOTFIXApply firmware updates to Cisco Catalyst SD-WAN Controller at the earliest opportunity after diagnostic collection
Catalyst SD-WAN Manager
HOTFIXApply firmware updates to Cisco Catalyst SD-WAN Manager at the earliest opportunity after diagnostic collection
All products
HARDENINGCollect admin-tech diagnostic files from each control component (SD-WAN Controller/Manager) in your deployment using the admin-tech command before applying any patches
HARDENINGReview Show Control Connections output on all control components to check for signs of unauthorized peering connections or authentication anomalies
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/54c2799d-c520-4437-8477-30ee0eb3f121Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.