Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched CVE-2026-20182, a critical CVSS 10.0 authentication bypass flaw in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that has been exploited in the wild. The bug affects the vdaemon control-plane service over DTLS/UDP 12346 and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach NETCONF on TCP/830, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the vmanage-admin account and establish persistent access; Cisco said there are no workarounds and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments.
Cisco Talos attributed the most sophisticated exploitation of CVE-2026-20182 with high confidence to UAT-8616, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 after public proof-of-concept release, leading to deployment of JSP webshells such as XenShell, Godzilla, and Behinder, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. CISA added CVE-2026-20182 to the KEV catalog and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and vmanage-admin public-key logins, and patch all vulnerable control components immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Cisco publishes remediation workflow for May SD-WAN advisories
Cisco published detailed remediation guidance instructing customers to collect admin-tech files from all control components before upgrading, then upgrade all vulnerable systems and open a TAC case for indicator scanning. The guidance also included manual verification steps and clarified that Cisco-hosted SD-WAN Cloud customers were already upgraded or scheduled for upgrades.
Nuclei template pull request appears for CVE-2026-20182 detection
A ProjectDiscovery nuclei-templates pull request for CVE-2026-20182 was opened, showing public detection content was being prepared for the flaw. The visible content reflects repository workflow activity rather than exploit details.
Canadian Centre for Cyber Security issues alert on CVE-2026-20182
The Canadian Centre for Cyber Security issued an alert warning of active exploitation of CVE-2026-20182. It highlighted incidents involving added SSH keys, modified NETCONF configurations, and escalation to root privileges.
CISA adds CVE-2026-20182 to the KEV catalog
CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. The KEV entry set a federal remediation due date of May 17, 2026.
Talos attributes CVE-2026-20182 exploitation to UAT-8616
Cisco Talos reported active in-the-wild exploitation of CVE-2026-20182 and attributed the activity to the sophisticated cluster UAT-8616. Talos said the actor attempted post-compromise actions including adding SSH keys, modifying NETCONF configurations, and escalating privileges to root.
Rapid7 publicly discloses technical details of CVE-2026-20182
Rapid7 disclosed that CVE-2026-20182 stems from missing authentication logic in the vdaemon service when a peer claims device type 2 (vHub). It showed attackers could become authenticated control-plane peers and append an SSH key to the vmanage-admin account for persistent NETCONF access.
Cisco discloses and patches CVE-2026-20182
Cisco published security advisories and released fixed software for CVE-2026-20182, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller and Manager. Cisco said there are no workarounds and warned the flaw had been exploited in limited attacks.
Cisco observes limited exploitation of CVE-2026-20182 in May
Cisco said it observed limited active exploitation of CVE-2026-20182 in May 2026, indicating the flaw was used as a zero-day before public disclosure. Reporting described attacks gaining high-privileged administrative access on SD-WAN systems.
Public PoC release triggers broader exploitation of older SD-WAN flaws
Cisco Talos observed widespread exploitation from March to April 2026 of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 after ZeroZenX Labs released public proof-of-concept code. Multiple threat clusters used the flaws to deploy JSP webshells and additional tooling.
Cisco fixes and discloses earlier SD-WAN flaws later abused in campaigns
Cisco had released fixes and advisories in February 2026 for Cisco SD-WAN Manager vulnerabilities CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Later reporting said these flaws were subsequently exploited in the wild.
Rapid7 begins coordinated reporting of CVE-2026-20182 to Cisco
Rapid7's disclosure timeline says coordinated reporting to Cisco for CVE-2026-20182 began on March 9, 2026. The vulnerability was discovered by Stephen Fewer and Jonah Burgess during research into related Cisco SD-WAN issues.
Cisco warns CVE-2026-20122 and CVE-2026-20128 are under active exploitation
Cisco warned that two additional Cisco Catalyst SD-WAN Manager vulnerabilities, CVE-2026-20122 and CVE-2026-20128, were being actively exploited. The warning expanded the list of SD-WAN flaws known to be abused in the wild.
Cisco and partners release guidance on ongoing SD-WAN exploitation
CISA and partner agencies released guidance about ongoing global exploitation of Cisco SD-WAN systems tied to earlier campaigns against the platform. This established the broader incident context that later reporting linked to UAT-8616 activity against Cisco SD-WAN infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
45 references tracked. Mallory keeps watching after this page renders.
Remediate Catalyst SD-WAN Security Advisory - May 2026 - Cisco
cisco.com
Open sourceWARNING: Authentication Bypass in Cisco Catalyst SD-WAN Can Be Exploited to Gain Administrative | CCB Belgium
ccb.belgium.be
Open sourceResecurity | CVE-2026-20182: Unauthenticated Cisco SD-WAN Control-Plane Compromise via vHub Authentication Bypass
resecurity.com
Open source10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list | news | SC Media
scworld.com
Open sourceCISA orders agencies to patch Cisco devices now under attack | Cybersecurity Dive
cybersecuritydive.com
Open sourceCISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems | CISA
cisa.gov
Open source[no-title]
cisco.com
Open sourceCisco flags SD-WAN threat - SDxCentral
sdxcentral.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Apr 21, 2026
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026
Cisco Catalyst SD-WAN Manager Zero-Day Exploited for Root Command Execution
Cisco disclosed active exploitation of **CVE-2026-20245**, a high-severity command injection flaw in **Cisco Catalyst SD-WAN Manager** that lets an authenticated attacker with `netadmin` privileges upload a crafted file and execute arbitrary commands as **root**. The vulnerability affects all deployment models, including on-premises, **Cisco SD-WAN Cloud**, Cloud-Pro, and FedRAMP environments, and Cisco said attackers have already used it in limited incidents to push unauthorized configuration changes to SD-WAN edge devices. Cisco said the flaw stems from insufficient validation and sanitization of user-supplied input in the CLI processing path, and warned that attackers may obtain the required privileges with valid credentials or by chaining previously disclosed bugs such as **CVE-2026-20182** or **CVE-2026-20127**. No dedicated patch or workaround was available at disclosure, so Cisco urged customers to upgrade to software versions that fix earlier exploited issues, review indicators of compromise such as suspicious entries in `/var/log/scripts.log`, preserve forensic evidence, collect diagnostics with the command: ```bash request admin-tech ``` and contact Cisco TAC if compromise is suspected.
Jun 10, 2026