CVE-2026-20182 Critical Authentication Bypass in Cisco Catal...

src/SUMMARY.md

@@ -628,6 +628,7 @@
 - [10000 - Pentesting Network Data Management Protocol (ndmp)](network-services-pentesting/10000-network-data-management-protocol-ndmp.md)
 - [11211 - Pentesting Memcache](network-services-pentesting/11211-memcache/README.md)
   - [Memcache Commands](network-services-pentesting/11211-memcache/memcache-commands.md)
+- [12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane](network-services-pentesting/12346-udp-pentesting-cisco-sd-wan-control-plane.md)
 - [15672 - Pentesting RabbitMQ Management](network-services-pentesting/15672-pentesting-rabbitmq-management.md)
 - [24007,24008,24009,49152 - Pentesting GlusterFS](network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md)
 - [27017,27018 - Pentesting MongoDB](network-services-pentesting/27017-27018-mongodb.md)

src/generic-methodologies-and-resources/pentesting-network/README.md

@@ -1003,4 +1003,3 @@ telecom-network-exploitation.md
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

src/network-services-pentesting/12346-udp-pentesting-cisco-sd-wan-control-plane.md

@@ -0,0 +1,93 @@
+# 12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane
+
+{{#include ../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Cisco Catalyst SD-WAN controllers expose a **DTLS control-plane service on UDP/12346** (`vdaemon`). This service should be treated like a routing-adjacency surface: if an attacker can become an authenticated peer, they may be able to pivot into the overlay fabric.
+
+`vdaemon` uses a **12-byte header** where the **high nibble** of `device_info` encodes the claimed device role:
+
+| Role value | Claimed role |
+| --- | --- |
+| `1` | vEdge |
+| `2` | vHub |
+| `3` | vSmart |
+| `4` | vBond |
+| `5` | vManage |
+| `6` | ZTP |
+
+The DTLS handshake is not enough to authenticate a peer by itself. Peer trust is finalized later during control-plane bootstrap messages such as `CHALLENGE_ACK`.
+
+**Default port:** 12346/udp
+
+```text
+PORT      STATE SERVICE
+12346/udp open  unknown
+```
+
+## Enumeration
+
+Discover the control-plane service and follow-on management ports:
+
+```bash
+nmap -sU -p12346 <IP>
+nmap -sT -p22,830 <IP>
+```
+
+If the host exposes TCP/830, check whether NETCONF over SSH is reachable:
+
+```bash
+ssh -p 830 <user>@<IP>
+```
+
+## Pentesting Cisco SD-WAN Control Plane
+
+### Pre-auth Role Confusion
+
+`CHALLENGE_ACK` (**message type `9`**) is reachable before authentication because it is part of the control-plane bootstrap allowlist. In CVE-2026-20182, Rapid7 showed that `vbond_proc_challenge_ack()` verified some roles (`vEdge`, `vSmart`, `vManage`) but had no verification branch for claimed role `2` / vHub.
+
+Because the function later fell through to `peer->authenticated = 1`, an attacker could:
+
+1. Complete DTLS with any certificate.
+2. Send `CHALLENGE_ACK` with the high nibble of `device_info` set to `2`.
+3. Send `Hello`.
+4. Transition to an UP authenticated peer.
+
+This is a useful bug pattern to hunt in proprietary control planes: attacker-controlled role selection, missing default-deny validation, and pre-auth handshake messages.
+
+### Post-auth Pivot
+
+Once treated as an authenticated peer, the controller accepted `MSG_VMANAGE_TO_PEER` (**message type `14`**) and appended attacker-controlled data to `/home/vmanage-admin/.ssh/authorized_keys`.
+
+This turns a control-plane foothold into persistent NETCONF over SSH access on TCP/830 as `vmanage-admin`.
+
+```bash
+# Rapid7 module automating the vHub auth bypass and SSH key injection
+msf6 > use auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass
+msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > set RHOSTS <IP>
+msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > run
+
+# If the target accepts the injected key, pivot to NETCONF over SSH
+ssh -i <loot_key.pem> vmanage-admin@<IP> -p 830
+```
+
+Review similar appliances for post-auth messages that write SSH keys, API tokens, trust bundles, or bootstrap secrets for privileged internal service accounts.
+
+## Detection
+
+- Audit Internet-facing or cross-trust-boundary exposure of UDP/12346 and TCP/830.
+- Inspect `/home/vmanage-admin/.ssh/authorized_keys` for unexpected appended keys after control-plane events.
+- After gaining NETCONF, remember that configuration and state retrieval may be available even if a normal shell is not.
+
+## Shodan
+
+- `port:12346`
+- `port:830 "NETCONF"`
+
+## References
+
+- [Rapid7: CVE-2026-20182 - Critical authentication bypass in Cisco Catalyst SD-WAN Controller](https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/)
+- [Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW)
+
+{{#include ../banners/hacktricks-training.md}}