Product Details
Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller are core components of Cisco’s SD-WAN architecture.
- SD-WAN Manager (formerly vManage) – Centralized management plane responsible for configuration, policy orchestration, template management, API access, logging, and lifecycle operations.
- SD-WAN Controller (vSmart and control components) – Handles control-plane communication, route distribution, policy enforcement, and secure device-to-device trust within the SD-WAN fabric.
Both systems typically expose HTTPS-based management and control interfaces. If compromised, full network orchestration control may be obtained.
CVE-2026-20129
Improper Authentication in Cisco Catalyst SD-WAN Manager
Vulnerability Overview
An authentication validation weakness exists within the REST API framework of SD-WAN Manager. Certain administrative API endpoints were not enforcing proper session validation. As a result, requests crafted without valid authentication tokens could be processed as trusted.
Administrative (netadmin) privileges could be obtained remotely without prior authentication.
Vulnerability Classification
| Field | Value |
|---|---|
| CVE ID | CVE-2026-20129 |
| Vulnerability Type | Improper Authentication |
| CVSS v3 Score | 9.8 (Critical) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Exploitability | High |
| Exploit Code | Public PoC observed (educational contexts) |
Technical Details
The issue originates from insufficient validation of session cookies and authentication headers in specific /dataservice/ API endpoints. The API request handler incorrectly assumed a valid authentication context when processing certain POST operations.
Under specific conditions:
- No valid
JSESSIONIDtoken was required - Token signature validation was not enforced
- Role validation checks were skipped
Administrative API operations were therefore accessible directly over HTTPS.
Affected API categories include:
- User management
- Policy management
- Template deployment
- Device configuration operations
- Certificate administration
The flaw allows privilege escalation directly to netadmin role without prior login.
Exploitation Methodology (Educational)
The exploitation flow has generally followed these stages:
- Target discovery through HTTPS scanning (default ports 443 or 8443).
- Identification of SD-WAN Manager banner or API endpoint.
- Direct POST request submission to administrative endpoint.
- Creation of new administrative account or extraction of configuration.
Example crafted request (for lab demonstration only):
POST /dataservice/admin/user HTTP/1.1
Host: target
Content-Type: application/json{
"userName":"temp_admin",
"password":"StrongPass123!",
"group":["netadmin"]
}
If vulnerable, HTTP 200 response is returned and account is created without login.
No authentication cookie or bearer token is supplied.
Proof-of-Concept Availability
Proof-of-concept code has circulated in controlled research environments. The PoC primarily demonstrates:
- Direct unauthenticated API call
- Creation of administrative account
- Configuration export capability
No exploit chaining is required. No brute force is required. No authentication bypass trick is needed beyond direct request execution.
Potential Impact
Once exploited, the following could be performed:
- Deployment of malicious device templates
- Routing manipulation across WAN fabric
- Creation of persistent administrative accounts
- Extraction of VPN configurations
- Download of certificates
- Lateral movement into branch devices
- Policy injection for traffic interception
Complete compromise of SD-WAN environment must be assumed.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts
- T1068 – Privilege Escalation
- T1021 – Remote Services
Indicators of Compromise
- New administrative accounts created outside change window
- API logs showing POST to
/dataservice/admin/userwithout login record - Configuration pushes from unknown IP addresses
- Unexpected template modifications
- Audit logs missing corresponding authentication events
Detection
Log Sources
- SD-WAN Manager Audit Logs
- Web Server Access Logs
- Reverse Proxy Logs (if deployed)
- Network Firewall Logs
- SIEM Correlated Events
- EDR telemetry on management host
Splunk Detection Query
index=sdwan sourcetype=sdwan_api_logs
method=POST uri_path="/dataservice/admin/user"
| search NOT session_id=*
| stats count by src_ip, uri_path, _time
QRadar AQL Query
SELECT sourceIP, URL, COUNT(*)
FROM events
WHERE URL LIKE '%/dataservice/admin/user%'
AND NOT customProperty("session_id") IS NOT NULL
GROUP BY sourceIP, URL
LAST 24 HOURS
Elastic (KQL) Query
http.request.method: "POST" and
url.path: "/dataservice/admin/user" and
not http.request.headers.cookie: *
Network IDS Rule Concept
alert tcp any any -> $SDWAN_MANAGER 443
(content:"POST /dataservice/admin/user"; nocase;)
Containment Actions
If exploitation is suspected:
- Immediately isolate SD-WAN Manager
- Rotate all administrative credentials
- Review user database
- Validate configuration integrity
- Redeploy clean configuration templates
- Reissue certificates if necessary
Official Patch / Upgrade
Cisco has released corrected software versions addressing the authentication validation logic.
Official upgrade guidance and fixed releases are available at:
https://tools.cisco.com/security/center/softwarechecker.x
Upgrade to the latest fixed SD-WAN Manager release as specified in Cisco advisory. No workaround is considered sufficient without upgrade.
CVE-2026-20127
Authentication Bypass in Cisco Catalyst SD-WAN Controller / Manager
Vulnerability Overview
An authentication bypass condition exists in the SD-WAN fabric peering mechanism. Peer identity validation during control-plane connection establishment was not enforced correctly under specific scenarios.
Unauthorized nodes could join the SD-WAN fabric and obtain administrative-level influence over routing and policies.
Vulnerability Classification
| Field | Value |
|---|---|
| CVE ID | CVE-2026-20127 |
| Vulnerability Type | Authentication Bypass |
| CVSS v3 Score | 10.0 (Critical) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Exploitability | Very High |
| Exploit Code | Public research PoC observed |
Technical Details
During control-plane peering:
- Device identity is validated using certificates.
- Serial number and organization name checks are performed.
- Control connections are established over DTLS/TLS.
In vulnerable versions, certificate chain validation and device authorization checks could be bypassed in certain trust-establishment scenarios.
As a result:
- A malicious node could present incomplete or manipulated credentials.
- Control-plane handshake could still succeed.
- Device would be added into the fabric trust domain.
Once admitted, full routing policy influence becomes possible.
Exploitation Flow (Educational)
- Attacker discovers exposed control-plane interface.
- Spoofed control connection initiated.
- Modified certificate payload submitted.
- Validation logic bypassed.
- Malicious node joins fabric.
- Routing table manipulation executed.
This attack does not require prior authentication or valid credentials.
Proof-of-Concept Availability
Research demonstrations have shown:
- Emulation of rogue controller
- Fabric join acceptance
- Policy injection capability
Exploit development complexity is moderate, but once successful, impact is complete control-plane compromise.
Impact Assessment
Successful exploitation may allow:
- Traffic interception
- Route hijacking
- Branch isolation
- Policy override
- Denial of service
- Persistence through rogue device presence
Trust boundary of entire WAN fabric becomes invalid.
MITRE ATT&CK Mapping
- T1557 – Man-in-the-Middle
- T1134 – Access Token Manipulation
- T1565 – Data Manipulation
- T1190 – Exploit Public-Facing Application
Indicators of Compromise
- Unknown device serial numbers in fabric inventory
- New control connections from unapproved IP addresses
- Certificate mismatch warnings
- Sudden routing table updates
- Increased DTLS handshake attempts
Detection
Log Sources
- Controller Control Logs
- DTLS/TLS Handshake Logs
- Certificate Validation Logs
- Device Join Logs
- Network IDS Logs
- Firewall Logs
Splunk Detection Query
index=sdwan sourcetype=sdwan_control_logs
event_type="control_connection"
| search NOT authorized_device="true"
| stats count by src_ip, device_serial
Elastic (KQL) Query
event.category: "network" and
event.action: "control_connection" and
not device.authorized: true
QRadar AQL Query
SELECT sourceIP, deviceSerial, COUNT(*)
FROM events
WHERE eventName = 'Control Connection Established'
AND authorizedDevice = 'false'
GROUP BY sourceIP, deviceSerial
LAST 24 HOURS
Network IDS Rule Concept
alert udp any any -> $SDWAN_CONTROLLER 12346
(msg:"SDWAN Suspicious Control Plane Join Attempt";)
Incident Response Considerations
If compromise is suspected:
- Immediately isolate affected controllers
- Remove unauthorized devices from inventory
- Rotate all fabric certificates
- Regenerate organization root certificate
- Validate route tables
- Rebuild trust chain
Official Patch / Upgrade
Cisco has issued fixed releases correcting certificate and peer validation logic.
Official upgrade details and patched versions are available at:
https://tools.cisco.com/security/center/softwarechecker.x
Immediate upgrade to fixed software version is required. No compensating control fully mitigates the risk without patching.
