Attackers Exploit Cisco SD-WAN Auth Bypass for Admin Access

Cisco Talos reported on May 14, 2026 that attackers are actively exploiting CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The vulnerability allows an unauthenticated remote actor to bypass authentication and log into an internal, high-privileged, non-root account on affected systems.

Talos attributes the in-the-wild exploitation to a threat cluster it tracks as UAT-8616. The cluster previously exploited a similar SD-WAN flaw, CVE-2026-20127. After successful logins using CVE-2026-20182, Talos observed actors adding SSH keys, modifying NETCONF configurations and attempting privilege escalation from the internal account to root. Some of the infrastructure used by UAT-8616 overlaps with Operational Relay Box networks monitored by Talos.

Separately, Talos documented widespread exploitation beginning March 2026 of a chain of three earlier SD-WAN Manager vulnerabilities: CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122. Cisco published updates and advisories for those flaws in February 2026. After proof-of-concept exploit code was released in March, attackers deployed JavaServer Pages webshells, most commonly a JSP shell Talos calls “XenShell.”

Talos mapped at least 10 distinct post-compromise clusters tied to the earlier CVE chain. Observed payloads included variants of Godzilla and Behinder webshells, the XenShell JSP backdoor, an AdaptixC2-based agent disguised as systemd-resolved, Sliver implants, Sliver command-and-control, XMRig cryptocurrency miners, a Nim-based implant with remote command capabilities, a peer-based proxy/tunneling tool called gsocket used with a Monero miner, and a credential-stealing script that attempted to harvest admin password hashes, JSON Web Token key fragments and AWS credentials for vManage.

Researchers noted operational details for the campaigns: threat actors staged payloads on public hosting and developer platforms, reused public proof-of-concept code with minor edits, and used commercial virtual private servers for command-and-control. Talos published indicators of compromise, file hashes and network addresses in a public repository and provided Snort signature IDs and ClamAV names to help detection.

Cisco customers were advised to follow the vendor’s security advisory for CVE-2026-20182 and apply available software updates. Talos recommended consulting Rapid7’s disclosure on the same vulnerability for additional technical detail and opening a Cisco TAC request for support. Talos provided Snort SIDs for CVE-2026-20182 (66482-66483) and related signatures for the earlier CVEs to aid defenders.