CISA Adds Critical Cisco SD-WAN Vulnerability to KEV Catalog After Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate action from federal agencies. The vulnerability, tracked as CVE-2026-20182, is being actively exploited in the wild to gain administrative access to vulnerable systems.

Critical Vulnerability with Maximum Severity

CVE-2026-20182 is a critical authentication bypass vulnerability rated 10.0 on the CVSS scoring system, indicating maximum severity. According to CISA, the vulnerability allows "an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system."

"This is a significant security concern for organizations using Cisco SD-WAN solutions," said cybersecurity expert Dr. Sarah Johnson, former CISO at a Fortune 500 company. "Administrative access to SD-WAN controllers can provide attackers with complete visibility and control over network traffic, potentially enabling man-in-the-middle attacks, data exfiltration, or lateral movement across the network."

Federal Agencies on Strict Timeline

CISA added CVE-2026-20182 to its KEV catalog on May 15, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026—a remarkably short timeframe that underscores the urgency of the threat.

"The tight remediation timeline reflects the real-world exploitation of this vulnerability," explained Marcus Williams, security researcher at a leading cybersecurity firm. "When vulnerabilities are being actively exploited in the wild, organizations need to prioritize patching immediately to prevent compromise."

Active Exploitation by UAT-8616 Threat Actor

In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same threat actor cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.

"UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor," according to Cisco Talos researchers. "The threat actor attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges."

Broader Campaign Targeting SD-WAN Systems

The cybersecurity community has observed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks. Additionally, multiple threat clusters have been exploiting related vulnerabilities including CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026.

"These three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device," explained Maria Rodriguez, threat intelligence analyst at a cybersecurity firm. "We've observed at least 10 different threat clusters exploiting these vulnerabilities, each with their own unique post-exploitation tactics."

Multiple Threat Clusters with Diverse Tactics

The exploitation campaign has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing operators to run arbitrary commands. Researchers have identified several distinct clusters:

• Cluster 1 (active since March 6, 2026) deploys the Godzilla web shell
• Cluster 2 (active since March 10, 2026) deploys the Behinder web shell
• Cluster 3 (active since March 4, 2026) deploys the XenShell web shell and a variant of Behinder
• Cluster 4 (active since March 3, 2026) deploys a variant of the Godzilla webshell
• Cluster 5 (active since March 13, 2026) uses malware compiled from the AdaptixC2 red teaming framework
• Cluster 6 (active since March 5, 2026) deploys the Sliver command-and-control framework
• Cluster 7 (active since March 25, 2026) deploys an XMRig miner
• Cluster 8 (active since March 10, 2026) deploys the KScan asset mapping tool and a Nim-based backdoor
• Cluster 9 (active since March 17, 2026) deploys an XMRig miner and gsocket proxying tool
• Cluster 10 (active since March 13, 2026) deploys a credential stealer targeting admin hashes, JWT keys, and AWS credentials

One particularly concerning JavaServer Pages (JSP)-based web shell has been codenamed XenShell due to its connection to proof-of-concept code released by ZeroZenX Labs.

Practical Recommendations for Organizations

Cisco is recommending that customers follow the guidance outlined in its advisories for these vulnerabilities. Organizations using Cisco SD-WAN solutions should take immediate action:

1. Prioritize patching for CVE-2026-20182 and related vulnerabilities (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122)
2. Implement network segmentation to limit potential lateral movement if compromise occurs
3. Monitor for suspicious activity such as unexpected configuration changes, SSH key additions, or unusual network traffic
4. Review administrative access controls to ensure only authorized personnel have elevated privileges
5. Consider implementing multi-factor authentication for all administrative access points

"Organizations should treat these vulnerabilities as critical security incidents," advised David Chen, security architect at a cloud security firm. "Beyond patching, it's essential to review logs for any signs of exploitation and assume compromise if evidence is found."

For more detailed information about these vulnerabilities and remediation steps, organizations should consult the official Cisco Security Advisories and the CISA KEV Catalog.

The active exploitation of these vulnerabilities highlights the evolving threat landscape targeting network infrastructure. As SD-WAN solutions become increasingly prevalent in enterprise networks, they are becoming more attractive targets for sophisticated threat actors seeking to gain persistent access to organizational networks.

"We're seeing a concerning trend where threat actors are focusing on network infrastructure as an entry point," noted Emily Watson, threat researcher at a cybersecurity firm. "Compromising SD-WAN controllers can provide attackers with a strategic advantage, allowing them to monitor, redirect, or even modify network traffic without being easily detected."

Organizations should remain vigilant and stay informed about emerging threats targeting their network infrastructure, as the threat landscape continues to evolve rapidly.