Exploits CVEs in the wild

UAT-8616

Also known asUAT-8616

UAT-8616 is a Cisco Talos-tracked threat activity cluster described as a highly sophisticated cyber threat actor. Cisco linked the group with high confidence to active exploitation of Cisco Catalyst SD-WAN vulnerabilities, including CVE-2026-20127 and CVE-2026-20182, with evidence of activity dating back to at least 2023. The actor has targeted Cisco SD-WAN systems, including Catalyst SD-WAN Controller and Manager, and Cisco reporting states that it targets critical infrastructure sectors. Observed tradecraft includes exploiting authentication bypass flaws to gain unauthorized access to SD-WAN systems, creating rogue peer relationships, obtaining administrative or other high-privileged access, modifying NETCONF configurations, adding SSH keys for persistence, and escalating privileges to root. Cisco also reported that in previously detected attacks the actor downgraded software versions to exploit CVE-2022-20775 for root privilege escalation, then restored the original software version. Cisco reported that infrastructure used by UAT-8616 overlaps with Operational Relay Box networks monitored by Talos. Multiple reports in the provided content describe the group as an alleged China-nexus actor or note that ORB overlap is frequently associated with Chinese espionage, but the content also states Cisco did not specifically align UAT-8616 with a particular nation-state in its advisory. No other aliases or sub-groups are directly provided beyond UAT-8616.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics40 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1588

Obtain Capabilities

T1588.006

Vulnerabilities

TA0001

Initial Access

3 techniques

T1078×12

Valid Accounts

T1133×2

External Remote Services

T1190×19

Exploit Public-Facing Application

TA0002

Execution

1 technique

T1203

Exploitation for Client Execution

TA0003

Persistence

7 techniques

T1078×12

Valid Accounts

T1098

Account Manipulation

T1098.004×9

SSH Authorized Keys

T1133×2

External Remote Services

T1136×4

Create Account

T1505

Server Software Component

T1505.003

Web Shell

T1543

Create or Modify System Process

T1556×7

Modify Authentication Process

T1556.004

Network Device Authentication

TA0004

Privilege Escalation

5 techniques

T1068×16

Exploitation for Privilege Escalation

T1078×12

Valid Accounts

T1098

Account Manipulation

T1098.004×9

SSH Authorized Keys

T1543

Create or Modify System Process

T1548×5

Abuse Elevation Control Mechanism

T1548.001

Setuid and Setgid

TA0005

Stealth

4 techniques

T1006

Direct Volume Access

T1036

Masquerading

T1070

Indicator Removal

T1070.003

Clear Command History

T1070.004

File Deletion

T1078×12

Valid Accounts

TA0112

Defense Impairment

2 techniques

T1556×7

Modify Authentication Process

T1556.004

Network Device Authentication

T1601×6

Modify System Image

TA0006

Credential Access

2 techniques

T1556×7

Modify Authentication Process

T1556.004

Network Device Authentication

T1557

Adversary-in-the-Middle

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.004

SSH

T1210×4

Exploitation of Remote Services

TA0009

Collection

1 technique

T1557

Adversary-in-the-Middle

TA0040

Impact

1 technique

T1565

Data Manipulation

WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2026-20127Authentication Bypass in Cisco Catalyst SD-WAN Controller and Manager Peering AuthenticationIn the wildEvidence48

It's also assessed to be similar to CVE-2026-20127, another case of authentication bypass impacting the same component. Both vulnerabilities have been exploited in the wild as zero-days, with a threat activity cluster dubbed UAT-8616 linked to the abuse of CVE-2026-20127 as far back as 2023.

CVE-2022-20775Privilege Escalation in Cisco SD-WAN Software CLIIn the wildEvidence27

In previously detected attacks, the group escalated their privileges to root by downgrading the software versions and exploiting an older privilege escalation vulnerability (CVE-2022-20775).

CVE-2026-20182Cisco Catalyst SD-WAN Controller and Manager Peering Authentication BypassIn the wildEvidence14

On May 14th, Cisco published an advisory detailing a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN controller infrastructure. The vulnerability, tracked as CVE-2026-20182, is a peering authentication bypass between SD-WAN infrastructure components... Active exploitation has been confirmed in the wild, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-20122Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager APIIn the wildEvidence1

Cisco Talos researchers also warned that UAT-8616 and at least 10 other threat groups have chained together and achieved “widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure.” The company previously disclosed and released patches for the vulnerabilities — including CVE-2026-20122, CVE-2026-20128 and CVE-2026-20133 — in February.

CVE-2026-20128Credential disclosure in Cisco Catalyst SD-WAN Manager Data Collection AgentIn the wildEvidence1

1 more CVE tied to this actor tracked in Mallory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

the hacker newsNews

Jun 6, 2026

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited - No Patch Available

Linked to exploitation of the Cisco Catalyst SD-WAN Manager authentication bypass vulnerability CVE-2026-20127 as a zero-day.

the hacker newsNews

May 22, 2026

Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

Exploited a maximum-severity authentication bypass flaw in Cisco Catalyst SD-WAN Controller to gain unauthorized access to SD-WAN systems.

scworldNews

May 15, 2026

10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list | news | SC Media

Targeting Cisco SD-WAN infrastructure and exploiting authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller to gain administrative control of the network control plane.

cyberscoopNews

May 15, 2026

Cisco zero-day under ongoing attack by persistent threat group | CyberScoop

Conducting ongoing zero-day exploitation against Cisco network edge products, including Catalyst SD-WAN Controller and Manager, and previously exploiting Cisco firewall and SD-WAN vulnerabilities over a multi-year period.

+55 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.