CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Administrator Access Exploit
The USCybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability affecting the Cisco Catalyst SD-WAN controller to its catalog known as Known Exploited Vulnerabilities (KEV), requiring the agencies of the Federal Civilian Executive Branch (FCEB) to fix the problem by May 267, 20.
Vulnerability is a critical pass in authentication that is tracked by CVE-2026-20182. It is rated 10.0 on the CVSS scoring system, indicating high durability.
“The Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthorized, remote attacker to bypass authentication and gain administrative privileges on the affected system,” CISA said.
In a separate advisory, Cisco revealed an active exploit of CVE-2026-20182 with high confidence in UAT-8616, the same group behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
“UAT-8616 performed a similar compromise after successfully exploiting CVE-2026-20182, as seen in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, change NETCONF configuration, and escalate to root privileges.”
It is assessed that the infrastructure used by UAT-8616 to perform exploit and post-compromise operations is beyond the Operational Relay Box (ORB) networks, the cybersecurity company also observes several threat clusters exploiting CVE-2026-20133, CVE-2026, 2026-202028-20128 2026.
The three vulnerabilities, when combined together, could allow an unauthorized attacker to gain unauthorized access to the device. They were added to the KEV CISA catalog last month.
Work was found to develop publicly available proof-of-concept code for running web shells on compromised systems, allowing operators to run arbitrary bash commands. Another web shell based on JavaServer Pages (JSP) has been named XenShell for using the PoC released by ZeroZenX Labs.
At least 10 different clusters have been linked to three exploits –
- Collection 1 (Effective from at least 6 March 2026), which uses the Godzilla web shell
- Collection 2 (Effective from at least 10 March 2026), using the Behinder web shell
- Collection 3 (Effective from at least March 4, 2026), which uses the XenShell web shell and the Behinder variant
- Collection 4 (Effective from at least 3 March 2026), which uses a webshell variant of Godzilla
- Collection 5 (Effective from at least 13 March 2026), a malware agent that compiled the AdaptixC2 team’s red frame
- Collection 6 (Effective from at least 5 March 2026), using the Sliver command-and-control framework (C2)
- Collection 7 (Valid from at least 25 March 2026), using the XMRig miner
- Collection 8 (Effective from at least March 10, 2026), which uses the KScan asset mapping tool and a Nim-based backdoor that may be based on NimPlant and comes with the ability to perform file operations, extract files using bash, and collect system information.
- Collection 9 (Effective from at least 17 March 2026), which uses the XMRig miner and a peer-to-peer mining and tunneling tool called gsocket
- Collection 10 (Effective from at least Mar 13, 2026), which sends an attacker trying to obtain a hashdump of the admin user, JSON Web Tokens (JWT) key components used for REST API authentication, and AWS credentials for vManage.
Cisco recommends that customers follow the guidance and recommendations outlined in the aforementioned risk advisories to protect their environments.
