The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog. This move mandates immediate remediation for federal agencies by May 17, 2026, due to the potential for severe credential theft and unauthorized access.
The vulnerability, designated CVE-2026-20182, carries a maximum CVSS score of 10.0, signifying its highest severity. Its inclusion in the KEV catalog indicates that malicious actors are actively exploiting it, posing a significant threat to network security and sensitive data.
Critical Cisco SD-WAN Vulnerability Adds to Exploited List
CISA’s addition of CVE-2026-20182 to its KEV catalog highlights the immediate threat posed by unauthenticated remote attackers who can bypass authentication mechanisms. This bypass allows them to gain administrative privileges on affected Cisco Catalyst SD-WAN Controller and Manager systems. Such access can lead to widespread compromise and data exfiltration.
Cisco, in a separate advisory, has linked the exploitation of CVE-2026-20182 to a threat actor cluster identified as UAT-8616. This same cluster is believed to be responsible for the earlier exploitation of CVE-2026-20127, which was also used to gain unauthorized access to SD-WAN environments. The post-compromise activities observed by Cisco Talos include attempts to inject SSH keys, alter network configurations, and escalate to root-level privileges, underscoring the sophisticated nature of the attacks.
Further analysis by cybersecurity firms suggests that the infrastructure used by UAT-8616 for these malicious activities overlaps with Operational Relay Box (ORB) networks. This association points to a potentially larger and more coordinated threat landscape. The situation is compounded by the concurrent exploitation of other vulnerabilities, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, which were also added to CISA’s KEV catalog last month. When chained together, these three flaws enable remote, unauthenticated attackers to achieve unauthorized device access.
Multiple Threat Clusters and Exploitation Methods
The exploitation of these Cisco SD-WAN vulnerabilities has attracted the attention of at least ten distinct threat clusters, indicating a broad range of malicious actors seeking to leverage these security weaknesses. The attackers are known to utilize publicly available proof-of-concept exploit code to deploy web shells on compromised systems. These web shells, such as the JavaServer Pages (JSP)-based XenShell, allow attackers to execute arbitrary bash commands and further their malicious objectives.
Cybersecurity researchers have identified a variety of malicious payloads being deployed by these clusters, including the Godzilla and Behinder web shells, a malware agent associated with the AdaptixC2 red teaming framework, and the Sliver command-and-control (C2) framework. Additionally, some exploiters have been observed deploying XMRig cryptocurrency miners, indicating a mix of motives, from resource hijacking to more sophisticated espionage or data theft.
Evidence also suggests the use of tools like the KScan asset mapping tool and Nim-based backdoors, capable of performing file operations, executing commands, and gathering system information. Notably, one cluster has been observed deploying a credential stealer specifically targeting administrator hash dumps, JSON Web Tokens (JWT) for REST API authentication, and AWS credentials for vManage, a key component of Cisco’s SD-WAN solution. This focus on credential theft is a primary concern, as it can unlock further access and facilitate more extensive breaches.
Cisco advises its customers to adhere to the guidance and recommendations provided in their advisories for CVE-2026-20182 and the other related vulnerabilities. This proactive patching and configuration management approach is crucial for mitigating the risks associated with these actively exploited flaws. Federal Civilian Executive Branch (FCEB) agencies are under a strict deadline of May 17, 2026, to implement the necessary fixes. The ongoing exploitation and the addition of multiple related vulnerabilities to CISA’s KEV catalog suggest that organizations should remain vigilant and prioritize comprehensive security assessments to safeguard their SD-WAN infrastructure.