Summary

• A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.

  This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Affected Products

• Vulnerable Products

  This vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager, regardless of device configuration.

  This vulnerability affects the following deployment types:

  • On-Prem Deployment
  • Cisco Hosted SD-WAN Cloud
  • Cisco Hosted SD-WAN Cloud - Cisco Managed
  • Cisco Hosted SD-WAN Cloud - FedRAMP Environment

  For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.

Details

• Important: To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes apply:

  • Cisco SD-WAN Controllers are now Cisco Catalyst SD-WAN Control Components
  • Cisco SD-WAN vAnalytics is now Cisco Catalyst SD-WAN Analytics
  • Cisco SD-WAN vBond is now Cisco Catalyst SD-WAN Validator
  • Cisco SD-WAN vManage is now Cisco Catalyst SD-WAN Manager
  • Cisco SD-WAN vSmart is now Cisco Catalyst SD-WAN Controller

  For a comprehensive list of all the component brand name changes, see the latest Release Notes. During the transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.

Indicators of Compromise

• Cisco Catalyst SD-WAN Controller systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise.

  Customers are encouraged to audit the auth.log file, located at /var/log/auth.log, for entries that are related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses, as shown in the following example:

  2026-02-10T22:51:36+00:00 vm  sshd[804]: Accepted publickey for vmanage-admin from  port [REDACTED PORT] ssh2: RSA SHA256:[REDACTED KEY]

  Customers must check the IP address in the auth.log log file against the configured System IPs that are listed in the Cisco Catalyst SD-WAN Manager web UI in the WebUI > Devices > System IP column.

  For help determining if a Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager has been compromised, customers should open a case with the Cisco Technical Assistance Center (TAC). Before opening a new TAC case, customers are encouraged to issue the request admin-tech command from each of the control components in the SD-WAN deployment so that the admin-tech file can be provided to the Cisco TAC for review.

  Peering Event Validation Guidance

  All control connection peering events identified in Cisco Catalyst SD-WAN logs require manual validation to confirm their legitimacy, with a specific focus placed on vmanage peering types. Threat actors who compromise SD-WAN infrastructure often establish unauthorized peer connections that may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture. A comprehensive review process is essential to distinguish between legitimate network operations and potential indicators of compromise.

  Validation Checklist

  • Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.
  • Confirm the public IP address corresponds to infrastructure owned or operated by your organization or authorized partners by cross-referencing against asset inventories and authorized IP ranges.
  • Validate that the peer system IP matches documented device assignments within your SD-WAN topology.
  • Review the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment.
  • Correlate multiple events from the same source IP or system IP to identify patterns of reconnaissance or persistent access attempts.
  • Cross-reference event timing with authentication logs, change management records, and user activity to establish whether the connection was initiated by authorized personnel.

  Example Log Entry

  Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005

  In the identified example, the peer-system-ip should be validated as matching the expected IP address schema in-use, the timestamp should be validated as matching any events that might cause a peering event to occur and the public-ip should be validated as being an expected source for a peering event.

Workarounds

• There are no workarounds that address this vulnerability. However, as a mitigation, customers may use the following guidance to temporarily mitigate the impact of this vulnerability while they are planning to upgrade to a first fixed release.

  Action Owner	On-Prem Deployment
  Customer	Follow the guidelines in the Firewall Ports for Cisco Catalyst SD-WAN Deployments section of the Cisco Catalyst SD-WAN Getting Started Guide. Customers who host their own Cisco Catalyst SD-WAN deployment in their own data centers must secure intra-controller connectivity. Cisco recommends adding the access control lists (ACLs), security group rules, and/or firewall rules to restrict the traffic to port 22 and port 830 to allow only known controller IPs and other known IPs. Customers also must configure their mitigation ACLs to allow IP traffic from only specified hosts or devices that require access to the Cisco Catalyst SD-WAN Control Components.
  Action Owner	Cisco Hosted SD-WAN Cloud
  Customer	These guardrails are in place for Cisco Hosted SD-WAN Cloud.
  Action Owner	Cisco Hosted SD-WAN Cloud - FedRAMP Environment
  Customer	These guardrails are in place for Cisco Hosted SD-WAN Cloud - FedRAMP Environment.
  Action Owner	Cisco Hosted SD-WAN Cloud - Cisco Managed
  Customer and Cisco	These guardrails are in place for Cisco Hosted SD-WAN Cloud - Cisco Managed.

  While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

• Cisco considers any workarounds and mitigations (if applicable) to be temporary solutions until an upgrade to a fixed software release is available. To fully remediate these vulnerabilities and avoid future exposure as described in this advisory, Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.

  Fixed Releases

  In the following table, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.

  Cisco Catalyst SD-WAN Release	First Fixed Release
  Earlier than 20.91	Migrate to a fixed release.
  20.9	20.9.8.2
  20.111	20.12.6.1
  20.12	20.12.5.3 20.12.6.1
  20.131	20.15.4.2
  20.141	20.15.4.2
  20.15	20.15.4.2
  20.161	20.18.2.1
  20.18	20.18.2.1

  1. These releases have reached End of Software Maintenance. Cisco strongly encourages customers to upgrade to a supported release.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

  Additional Information

  • To check component and software release compatibility, see the SD-WAN Controller Component Compatibility Matrix.
  • For help planning an upgrade, see the Cisco Catalyst SD-WAN Upgrade Matrix.
  • For additional remediation assistance, see Remediate Catalyst SD-WAN Security Advisory - February 2026

Recommendations

• Cisco recommends upgrading the affected systems to a fixed software release.

  General Recommendations for Hardening

  • Prevent access from unsecured networks, such as the internet, to the system. If internet access to the system is required, restrict system access to only known, trusted hosts on ports/protocols that are included in the user guides.
  • Protect Cisco Catalyst SD-WAN Control Components behind a filtering device such as a firewall, and filter traffic to and from the systems while allowing only known, trusted hosts to send traffic to the systems. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Catalyst SD-WAN software.
  • Regularly monitor web log traffic for any unexpected traffic to and from systems. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data.
  • Disable HTTP for the Cisco Catalyst SD-WAN Manager web UI administrator portal.
  • Disable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Catalyst SD-WAN user guides.
  • Upgrade the system to the latest version of Cisco Catalyst SD-WAN Software.
  • Change the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators.
  • Use SSL/TLS, obtain an SSL certificate from a certificate authority (CA), or create a self-signed certificate.

  For more information, review the Cisco Catalyst SD-WAN Hardening Guide.

Exploitation and Public Announcements

• The Cisco PSIRT is aware of limited exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.

Source

• Cisco would like to thank Australian Signals Directorate’s Australian Cyber Security Centre for reporting this vulnerability.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Revision History

• Version	Description	Section	Status	Date
  1.2	Updated mitigation information.	Workarounds	Final	2026-MAR-03
  1.1	Updated the fixed releases table. Added the link to a public remediation document.	Fixed Releases	Final	2026-FEB-27
  1.0	Initial public release.	-	Final	2026-FEB-25

  Show Less