Contact us
Contact us

News

About

Home Crypto News Cisco SD-WAN Authentication Bypass Exploited

Cisco SD-WAN Authentication Bypass Exploited

Author Whitewallet Research
Posted: 14 May 2026, 16:27 CET 2 min read

Talos reports CVE-2026-20182 is being actively exploited in Cisco Catalyst SD‑WAN Controller and Manager, allowing unauthenticated attackers to bypass login and obtain administrative access.

A Cisco Talos advisory published May 14, 2026, reports active exploitation of CVE-2026-20182, an authentication-bypass vulnerability in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. Successful exploitation allows unauthenticated remote attackers to log in as an internal, high-privileged non-root account and obtain administrative access to affected systems.

Talos attributes the current activity to a threat actor it tracks as UAT-8616 and classifies that actor as highly sophisticated. UAT-8616 previously exploited CVE-2026-20127. After gaining access, the actor attempted to add SSH keys, modify NETCONF configurations and escalate privileges to root. Talos observed overlap between infrastructure used by UAT-8616 and Operational Relay Box networks it monitors.

Separately, beginning in March 2026 Talos observed multiple distinct clusters exploiting a chain of earlier SD-WAN vulnerabilities: CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122. Public proof-of-concept code from ZeroZenX Labs mislabels the targeted flaw as CVE-2026-20127; Talos’ analysis shows the PoC actually exploits the three February-disclosed CVEs. Exploitation from March into April led to widespread deployment of webshells and post-compromise tooling.

Observed implants and tools include a JSP shell called XenShell derived from the PoC, variants of Godzilla and Behinder JSP shells, an AdaptixC2 agent, Sliver implants, Nim-based backdoors, a peer proxy/tunneling tool named gsocket and XMRig cryptocurrency miners. In at least one cluster, operators used scripts to harvest admin password hashes, JSON Web Token key fragments for API authentication and AWS credentials for vManage instances.

The Talos report provides technical indicators and detection signatures, including Snort rule IDs, ClamAV signatures, IP addresses, command-and-control endpoints, file hashes and filenames used by shells and implants. Cisco released software updates and a security advisory addressing the February CVEs and has published guidance for CVE-2026-20182. Talos advised customers to apply Cisco’s mitigation steps and to open a TAC support case for assistance, and it recommended consulting additional technical disclosures for further detail.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE