automatic module_metadata_base.json update

jenkins-metasploit · jenkins-metasploit · commit c6ae1bdac6b8 · 2026-05-15T18:12:51.000Z
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -9008,6 +9008,51 @@
     "needs_cleanup": false,
     "actions": []
   },
+  "auxiliary_admin/networking/cisco_sdwan_vhub_auth_bypass": {
+    "name": "Cisco Catalyst SD-WAN Controller vHub Authentication Bypass",
+    "fullname": "auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2026-05-07",
+    "type": "auxiliary",
+    "author": [
+      "sfewer-r7",
+      "Crypto-Cat"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability (CVE-2026-20182)\n          in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane\n          service performs no certificate or credential verification for connecting peers\n          that claim to be a vHub (device type 2). The vbond_proc_challenge_ack() function\n          implements device-type-specific verification through a series of conditional\n          blocks, but contains no code path for device type 2 (vHub). After a DTLS\n          handshake using any self-signed certificate, an attacker sends a CHALLENGE_ACK\n          (msg_type=9) with the vHub device type encoded in the protocol header. The\n          function falls through all verification checks and unconditionally sets\n          peer->authenticated = 1.\n\n          This module leverages the authentication bypass to inject an attacker-controlled\n          SSH public key into the vmanage-admin user's authorized_keys file via a\n          VMANAGE_TO_PEER message (msg_type=14), providing persistent SSH access to the\n          controller over the NETCONF service (TCP port 830).\n\n          Affected versions: Cisco Catalyst SD-WAN Controller 20.12.6.1 and earlier.\n          Consult Cisco's security advisory for a complete list of affected versions\n          and patches.",
+    "references": [
+      "CVE-2026-20182",
+      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW",
+      "URL-https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/",
+      "URL-https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 12346,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2026-05-15 09:43:25 +0000",
+    "path": "/modules/auxiliary/admin/networking/cisco_sdwan_vhub_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/cisco_sdwan_vhub_auth_bypass",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
   "auxiliary_admin/networking/cisco_secure_acs_bypass": {
     "name": "Cisco Secure ACS Unauthorized Password Change",
     "fullname": "auxiliary/admin/networking/cisco_secure_acs_bypass",
