According to Rapid7, which discovered CVE-2026–20182, the shortcoming has its echoes in CVE-2026–20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023.

“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026–20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said. “The new vulnerability is not a patch bypass of CVE-2026–20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.”

That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026–20182 to become an authenticated peer of the target appliance and carry out privileged operations.