Cisco Catalyst SD-WAN
aka viptela, vmanage
Cisco SD-WAN (Viptela) control-plane traffic on 12346/udp between vEdge/cEdge routers and the vManage/vSmart controllers. A niche surface, but exposed controllers have carried serious auth-bypass and RCE CVEs.
Ports
| Port | Proto | Notes |
|---|---|---|
12346 | udp | SD-WAN control plane (DTLS) |
443 | tcp | vManage web UI |
Fingerprint
- DTLS control traffic on 12346/udp between SD-WAN nodes
- vManage login portal on 443
Default / weak creds
admin / admin default on vManage
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-1479 | vManage unauthenticated buffer overflow RCE |
| CVE-2023-20214 | vManage REST API auth bypass |
Exploitation primitives
- Default admin/admin on the vManage controller
- Auth-bypass / RCE CVEs against exposed vManage → control the whole SD-WAN fabric
- Control-plane access can push config to every edge router
Overview
Cisco SD-WAN uses 12346/udp for the controller↔router control plane; the real target is the vManage controller, which has had auth-bypass and RCE bugs.
Enumeration
Spot the control plane / controller:
nmap -sU -p12346 -sV <TARGET>Try default creds on vManage (443), then check version against the CVEs above.
Hardening
Change vManage defaults, restrict controller access, and patch the vManage CVEs promptly.