Vulnerability Overview and Impact
Cisco has issued urgent security updates for a maximum severity authentication bypass vulnerability affecting its Catalyst SD WAN Controller and Catalyst SD WAN Manager products. The flaw, which carries the highest possible CVSS score of 10.0, allows an unauthenticated, remote attacker to completely bypass authentication mechanisms. A successful exploit enables the attacker to gain administrative privileges, logging in as an internal high privileged non root user. Once inside, the attacker can access NETCONF and manipulate network configurations across the entire SD WAN fabric, potentially disrupting or compromising enterprise wide area networks.
Active Exploitation and Technical Details
The vulnerability resides in the peering authentication mechanism of the vdaemon service, which operates over DTLS on UDP port 12346. Security researchers at Rapid7 discovered the flaw and noted it is a distinct issue from a previous critical authentication bypass that had been exploited by a threat actor group since at least 2023. While not a patch bypass, this new vulnerability targets a similar component in the networking stack. Cisco confirmed awareness of limited exploitation in real world attacks, prompting the urgent advisory. Affected deployments include on premises versions, Cisco SD WAN Cloud Pro, Cisco SD WAN Cloud managed by Cisco, and Cisco SD WAN for Government FedRAMP systems. Organizations using these products should apply patches immediately to prevent unauthorized administrative access.
Source: The Hacker News
