CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

Summary

CISA added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller, to its KEV catalog, requiring FCEB agencies to remediate by May 17, 2026. Cisco attributes active exploitation to UAT-8616, who performed similar post-compromise actions as seen in CVE-2026-20127 exploitation.

Full text

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits Ravie LakshmananMay 15, 2026Vulnerability / Credential Theft The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It's rated 10.0 on the CVSS scoring system, indicating maximum severity. "Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system," CISA said. In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems. "UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor," Cisco Talos said. "UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges." It's assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA's KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell has been codenamed XenShell owing to the use of a PoC released by ZeroZenX Labs. At least 10 different clusters have been linked to the exploitation of the three flaws - Cluster 1 (Active since at least March 6, 2026), which deploys the Godzilla web shell Cluster 2 (Active since at least March 10, 2026), which deploys the Behinder web shell Cluster 3 (Active since at least March 4, 2026), which deploys the XenShell web shell and a variant of Behinder Cluster 4 (Active since at least March 3, 2026), which deploys a variant of the Godzilla webshell Cluster 5 (Active since at least March 13, 2026), which malware agent compiled off the AdaptixC2 red teaming framework Cluster 6 (Active since at least March 5, 2026), which deploys the Sliver command-and-control (C2) framework Cluster 7 (Active since at least March 25, 2026), which deploys an XMRig miner Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and a Nim-based backdoor that's likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information Cluster 9 (Active since at least March 17, 2026), which deploys an XMRig miner and a peer-based proxying and tunneling tool called gsocket Cluster 10 (Active since at least Mar 13, 2026), which deploys a credential stealer that attempts to obtain an admin user's hashdump, JSON Web Tokens (JWT) key chunks that are used for REST API authentication, and AWS credentials for vManage Cisco is recommending that customers follow the guidance and recommendations outlined in the advisories for the aforementioned vulnerabilities to protect their environments. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Authentication bypass, CISA, cisco, Command and Control, Credential Theft, cybersecurity, SD-WAN, Vulnerability, Web Shell ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure

Indicators of Compromise

• cve — CVE-2026-20182
• cve — CVE-2026-20127
• cve — CVE-2026-20133
• cve — CVE-2026-20128
• cve — CVE-2026-20122
• malware — XenShell
• malware — Godzilla
• malware — Behinder
• malware — AdaptixC2
• malware — Sliver
• malware — XMRig
• malware — KScan
• malware — NimPlant
• malware — gsocket

Entities