UAT-8616 Exploits Cisco SD-WAN to Install Miners

Cisco Talos reports a sophisticated threat actor tracked as UAT-8616 is actively exploiting CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, to gain administrative access and install webshells, Monero miners and backdoors. Talos traces the activity to March 2026 and finds it ongoing on systems that remain unpatched.

Successful exploitation of CVE-2026-20182 allows an unauthenticated remote actor to log in as a high‑privileged internal account on affected SD-WAN controllers and managers. After access, UAT-8616 has added SSH keys, modified NETCONF configurations and attempted privilege escalation toward root. The actor has deployed remote shells and persistent implants to maintain control.

Talos identified separate clusters of activity exploiting an earlier set of SD-WAN vulnerabilities-CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122-that predate CVE-2026-20182. Those flaws were patched by Cisco in February 2026. After proof-of-concept exploit code appeared in March, multiple groups used the code to chain the vulnerabilities and install JSP-based webshells, commonly a JSP shell Talos calls “XenShell.” Other JSP families observed include Godzilla and Behinder variants.

Post-compromise tooling varied across clusters. Talos observed red-team frameworks and implants repurposed as malware, including AdaptixC2 and Sliver; a Nim-based backdoor resembling Nimplant; XMRig miners and scripts to run Monero mining in the background; and a peer-based tunneling tool used for proxying and persistent access. One cluster attempted credential theft, seeking admin hash dumps, JSON Web Token key fragments used for REST authentication, and AWS credentials for vManage instances. Talos reports at least ten distinct clusters, ranging from single webshell deployments to multi-stage intrusions with tunneling and exfiltration.

Infrastructure and staging methods included VPS hosting, known command-and-control nodes and public platforms. Talos notes overlapping infrastructure between UAT-8616 activity and networks it tracks as Operational Relay Box (ORB). In one case a Nim implant was hosted and executed from a Replit URL. Talos has published indicators of compromise, IP addresses and file hashes in its GitHub repository.

Cisco issued security advisories and software updates for the affected SD-WAN components in February 2026 and recommended customers upgrade. Talos published detection guidance, Snort rules, ClamAV signatures and cluster-specific IOCs on its GitHub. Cisco also provides technical assistance through TAC for customers that suspect compromise.