Back

Critical Authentication Bypass Vulnerability in Cisco SD-WAN Exploited

Severity: High (Score: 78.0)

Sources: sec.cloudapps.cisco.com, Bleepingcomputer, www.rapid7.com, Securityaffairs.Co, Darkreading

Summary

Cisco has reported a critical authentication bypass vulnerability, CVE-2026-20182, affecting the Catalyst SD-WAN Controller and Manager. This flaw allows remote unauthenticated attackers to gain high-privileged access, enabling them to manipulate network configurations. The vulnerability was actively exploited in zero-day attacks, with attackers leveraging crafted requests to bypass authentication mechanisms. Rapid7 Labs discovered this flaw while investigating another vulnerability, CVE-2026-20127, which was previously exploited by the same threat actor, UAT-8616. Cisco has issued security updates and recommended immediate patching of affected systems. The vulnerability has a CVSS score of 10.0, indicating critical severity. CISA has added CVE-2026-20182 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by May 17, 2026. Organizations are advised to review logs for unauthorized access attempts. Key Points: • CVE-2026-20182 is a critical authentication bypass vulnerability in Cisco SD-WAN. • Active exploitation has been confirmed, allowing attackers to gain high-privileged access. • Cisco has released patches and CISA has mandated federal agencies to update by May 17, 2026.

Key Entities

  • Uat-8616 (apt_group)
  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • Rapid7 (company)
  • CVE-2022-20775 (cve)
  • CVE-2026-20122 (cve)
  • CVE-2026-20127 (cve)
  • CVE-2026-20128 (cve)
  • CVE-2026-20133 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • message.no (domain)
  • replit.dev (domain)
  • 194.163.175.135 (ipv4)
  • 212.83.162.37 (ipv4)
  • 23.27.143.170 (ipv4)
  • 71.80.85.135 (ipv4)
  • 83.229.126.195 (ipv4)
  • Behinder (malware)
  • GodZilla (malware)
  • Nimplant (malware)
  • XenShell (malware)
  • XMRig (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.001 - Remote Desktop Protocol (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1098 - Account Manipulation (mitre_attack)
  • Cisco Catalyst Sd-wan (platform)
  • Cisco Catalyst Sd-wan Controller (platform)
  • Cisco Catalyst Sd-wan Controllers (platform)
  • Cisco Catalyst Sd-wan Manager (platform)
  • AdaptixC2 (tool)
  • GSocket (tool)
  • KScan (tool)
  • Metasploit (tool)
  • QScan (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed