XenShell
XenShell is a JavaServer Pages (JSP)-based web shell observed in exploitation of Cisco Catalyst SD-WAN Manager vulnerabilities, particularly the chained exploitation of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Cisco Talos states that most observed exploitation attempts used publicly available ZeroZenX Labs proof-of-concept code and the accompanying JSP shell, which Talos named XenShell. The web shell enables operators to run arbitrary bash commands on compromised systems. Talos associated XenShell with one of at least 10 post-compromise clusters exploiting unpatched SD-WAN Manager devices from March to April 2026; in Cluster 3, XenShell was deployed as "sysv.jsp" and later accompanied by a Behinder variant deployed as "sysinit.jsp" from IP address 212.83.162[.]37. XenShell was used alongside other tooling seen across related clusters, including Godzilla, Behinder, AdaptixC2, Sliver, XMRig, gsocket, KScan/QScan, Nim-based implants, and credential-stealing scripts. The activity targeted Cisco SD-WAN infrastructure, and the broader exploitation set included follow-on actions such as web shell deployment, arbitrary command execution, credential theft targeting admin hashes, JWT key chunks, and AWS credentials for vManage.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying JavaServer Pages (JSP) shell, which we are calling “XenShell.”
The vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying JavaServer Pages (JSP) shell, which we are calling “XenShell.”
The vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying JavaServer Pages (JSP) shell, which we are calling “XenShell.”
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Lateral Movement
1 technique
Lateral Movement
Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A JSP-based web shell deployed on compromised Cisco SD-WAN systems to enable arbitrary bash command execution.
A webshell observed in exploitation of Cisco SD-WAN vulnerabilities by additional threat clusters.
A JSP-based webshell used after successful exploitation of Cisco Catalyst SD-WAN Manager vulnerabilities to execute bash commands on the affected system.
A JSP-based webshell deployed after exploitation of Cisco Catalyst SD-WAN vulnerabilities, allowing attackers to execute bash commands on affected systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.