CISA Adds Cisco SD‑WAN CVE‑2026‑20182 to KEV

The Cybersecurity and Infrastructure Security Agency added a critical authentication‑bypass flaw in Cisco Catalyst SD‑WAN Controller, tracked as CVE‑2026‑20182, to its Known Exploited Vulnerabilities catalog on Thursday and set a remediation deadline of May 17, 2026 for Federal Civilian Executive Branch agencies.

CVE‑2026‑20182 carries a CVSS score of 10.0. CISA warned the flaw “allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.” The KEV listing triggers the mandatory federal remediation requirement.

Cisco linked active exploitation of CVE‑2026‑20182 with high confidence to the threat cluster UAT‑8616, the same actor tied to attacks that used CVE‑2026‑20127. Talos researchers reported that UAT‑8616 performed post‑compromise actions similar to earlier incidents, including attempts to add SSH keys, change NETCONF configurations and escalate to root privileges.

Security teams have observed overlap between infrastructure used by UAT‑8616 and Operational Relay Box networks. Since March 2026, several threat clusters have exploited additional SD‑WAN flaws-CVE‑2026‑20133, CVE‑2026‑20128 and CVE‑2026‑20122-that were added to CISA’s KEV list last month. When chained, those vulnerabilities can allow a remote unauthenticated attacker to gain access to devices.

Attackers have used publicly available proof‑of‑concept exploit code to install JavaServer Pages and other web shells that enable arbitrary bash commands on compromised systems. One JSP‑based web shell, labeled XenShell, traces to proof‑of‑concept code released by ZeroZenX Labs.

Observers have linked at least ten distinct attacker clusters to exploitation of the SD‑WAN flaws between March and April 2026. Operators deployed a range of tools and payloads, including Godzilla and Behinder web shells, XenShell and its variants, malware compiled from the AdaptixC2 red team framework, the Sliver command‑and‑control framework, and XMRig cryptocurrency miners.

Some intrusions used an asset‑mapping tool called KScan and a Nim‑based backdoor similar to NimPlant to perform file operations, execute files via bash and collect system information. Other operators deployed a peer‑based proxying tool called gsocket or a credential stealer designed to harvest an administrator’s hashdump, JSON Web Token key fragments used for REST API authentication, and AWS credentials for vManage.

Cisco has advised customers to follow the mitigation steps and recommendations in its advisories for the affected SD‑WAN products. The KEV catalog is used to track vulnerabilities that are known to be actively exploited, and inclusion typically carries a federal remediation deadline to reduce the risk of administrative compromise.