Urgent Cisco Catalyst SD-WAN Patching for CVE-2026-20182

Photo of author

CyberSecureFox Editorial Team

On 14 May 2026, CISA added the vulnerability CVE-2026-20182 to the Known Exploited Vulnerabilities (KEV) catalog, setting a remediation deadline of 17 May 2026 for federal civilian executive branch (FCEB) agencies — just three days. The vulnerability affects the Cisco Catalyst SD-WAN Controller and is an authentication bypass that allows an unauthenticated remote attacker to obtain administrative privileges on the target system. According to Cisco Talos, it is already being exploited in real-world attacks by at least one threat group, and together with previously disclosed SD-WAN vulnerabilities forms a large-scale campaign involving at least ten distinct threat clusters.

Technical details of the vulnerability

According to the CISA description, CVE-2026-20182 is an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager. It allows an unauthenticated remote attacker to completely bypass authentication mechanisms and gain administrative access to a vulnerable system. Its exploitation status is confirmed by its inclusion in the CISA KEV catalog.

Affected products:

  • Cisco Catalyst SD-WAN Controller
  • Cisco Catalyst SD-WAN Manager
  • vManage

In addition to CVE-2026-20182, three other related vulnerabilities are also under active exploitation: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. According to researchers, when chained together these three vulnerabilities allow an unauthenticated remote attacker to gain unauthorized access to the device. It is reported that they were added to the KEV catalog last month.

Attribution and threat context

According to Cisco Talos, active exploitation of CVE-2026-20182 is attributed with high confidence to a group tracked as UAT-8616. This same cluster was previously linked to the use of the vulnerability CVE-2026-20127 to gain unauthorized access to SD-WAN systems.

Cisco Talos researchers note that after successfully exploiting CVE-2026-20182, the UAT-8616 group carried out actions similar to those observed during exploitation of CVE-2026-20127: attempts to add SSH keys, modification of NETCONF configurations, and escalation of privileges to root. The UAT-8616 infrastructure is believed to overlap with so‑called Operational Relay Box (ORB) networks. It should be borne in mind that this attribution is based on data from a single research source and has not been independently confirmed by CISA.

Scale of the campaign: 10 exploitation clusters

Since March 2026, according to Cisco Talos, at least 10 different threat clusters have been exploiting the chain of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 using publicly available exploit code. Attackers deploy web shells on compromised systems to execute arbitrary bash commands. One such JSP-based web shell has been named XenShell — after the PoC code published by ZeroZenX Labs.

The diversity of tools and objectives across the clusters shows how broad the spectrum of attackers is:

  • Clusters 1 and 4 (since early March 2026) — deployment of the Godzilla web shell and its variants
  • Clusters 2 and 3 (since early March 2026) — deployment of the Behinder and XenShell web shells and their combinations
  • Cluster 5 (since 13 March 2026) — a malicious agent compiled from the AdaptixC2 penetration-testing framework
  • Cluster 6 (since 5 March 2026) — the Sliver command-and-control framework
  • Clusters 7 and 9 (since mid-to-late March 2026) — the XMRig cryptominer; cluster 9 additionally uses the tunneling tool gsocket
  • Cluster 8 (since 10 March 2026) — the scanning tool KScan and a Nim-based backdoor, presumably derived from NimPlant, with capabilities for file operations, executing bash commands, and collecting system information
  • Cluster 10 (since 13 March 2026) — a credential stealer targeting administrator hash dumps, fragments of JSON Web Token (JWT) keys used for REST API authentication, and AWS credentials for vManage

Cluster 10 is particularly concerning: theft of JWT keys and vManage AWS credentials means that compromise of an SD-WAN controller can become an entry point for lateral movement into an organization’s cloud infrastructure.

Impact assessment

Cisco Catalyst SD-WAN is a platform widely used in corporate and government networks to manage distributed infrastructure. Gaining administrative access to an SD-WAN controller effectively gives an attacker control over traffic routing, security policies, and configuration of the organization’s entire WAN infrastructure.

The presence of 10 independent exploitation clusters active since early March 2026 indicates that the vulnerabilities have been exploited at scale for more than two months already. The threat spectrum ranges from espionage (credential theft, backdoor deployment) to financially motivated attacks (cryptomining), which suggests the involvement of both APT groups and less skilled attackers leveraging public exploits.

Practical recommendations

  • Apply patches immediately for CVE-2026-20182, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 in line with Cisco’s guidance. CISA’s deadline for FCEB agencies is 17 May 2026, but all organizations should treat this as an equally high priority.
  • Audit potentially compromised systems: check for unauthorized SSH keys, changes to NETCONF configurations, JSP web shell files (Godzilla, Behinder, XenShell), and signs of privilege escalation to root.
  • Review credentials: rotate administrator passwords, REST API JWT keys, and AWS credentials associated with vManage, especially if patches were not applied before May 2026.
  • Restrict network access to SD-WAN Controller and Manager management interfaces — they should not be exposed to the internet.
  • Monitoring: track execution of XMRig processes, connections to Sliver and AdaptixC2 infrastructure, and activity related to KScan and gsocket on the network.

CISA’s three-day deadline is an unprecedentedly short timeframe that reflects the criticality of the situation. Organizations using Cisco Catalyst SD-WAN need to treat patch deployment as an emergency task rather than a routine update and, in parallel, conduct retrospective compromise analysis going back to March 2026 — given that exploitation has been underway for more than two months, a lack of patching very likely means the system has already been compromised.

Photo of author

CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CyberSecureFox

© 2026 INFO

About

About

Authors

Contact

Editorial

Editorial Standards

Corrections

Legal

Privacy Policy

Terms of Service