Back

Critical Authentication Bypass Vulnerability in Cisco Catalyst SD-WAN Exploited

Severity: Critical (Score: 84.0)

Sources: www.rapid7.com, github.com, Blog.Talosintelligence, sec.cloudapps.cisco.com

Summary

A new critical authentication bypass vulnerability, CVE-2026-20182, has been discovered in the Cisco Catalyst SD-WAN Controller, allowing remote unauthenticated attackers to gain privileged access. This vulnerability, identified by Rapid7, affects the 'vdaemon' service and has a CVSS score of 10.0. Talos Intelligence reports ongoing exploitation of CVE-2026-20182 by a sophisticated threat actor, UAT-8616, who previously exploited CVE-2026-20127. The attackers can modify NETCONF configurations and inject SSH keys to escalate privileges. Cisco has released a security advisory for CVE-2026-20182, urging customers to apply patches. The vulnerability is not a bypass of the earlier CVE-2026-20127 but a distinct issue in the same service. The attack vector involves exploiting the DTLS handshake process to authenticate as a peer. The situation is critical as multiple vulnerabilities in Cisco systems are being exploited in tandem. Key Points: • CVE-2026-20182 is a critical authentication bypass vulnerability with a CVSS score of 10.0. • Ongoing exploitation by threat actor UAT-8616 allows unauthorized access to Cisco SD-WAN systems. • Cisco has issued a security advisory and recommends immediate patching for affected systems.

Key Entities

  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-20122 (cve)
  • CVE-2026-20127 (cve)
  • CVE-2026-20128 (cve)
  • CVE-2026-20133 (cve)
  • CVE-2026-20182 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • message.no (domain)
  • replit.dev (domain)
  • 194.163.175.135 (ipv4)
  • 212.83.162.37 (ipv4)
  • 23.27.143.170 (ipv4)
  • 71.80.85.135 (ipv4)
  • 83.229.126.195 (ipv4)
  • Behinder (malware)
  • GodZilla (malware)
  • Nimplant (malware)
  • XenShell (malware)
  • XMRig (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.001 - Remote Desktop Protocol (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1098 - Account Manipulation (mitre_attack)
  • Cisco Catalyst Sd-wan Controller (platform)
  • Cisco Catalyst Sd-wan Manager (platform)
  • AdaptixC2 (tool)
  • GSocket (tool)
  • KScan (tool)
  • Metasploit (tool)
  • QScan (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed