Back

Critical Cisco SD-WAN Vulnerability CVE-2026-20182 Actively Exploited

Severity: Critical (Score: 87.0)

Sources: sec.cloudapps.cisco.com, www.rapid7.com, Bleepingcomputer, Securityaffairs.Co, Darkreading

Summary

A critical authentication bypass vulnerability, CVE-2026-20182, affecting Cisco Catalyst SD-WAN Controller and Manager, was disclosed on May 14, 2026, and is being actively exploited in the wild. This flaw allows unauthenticated attackers to gain administrative access to affected systems, enabling them to manipulate network configurations via the NETCONF protocol. The vulnerability has a CVSS score of 10.0, indicating its maximum severity. The threat actor UAT-8616, previously linked to similar vulnerabilities, is exploiting this flaw to perform actions such as SSH key injection and configuration manipulation. Cisco has added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog and has urged organizations to apply patches immediately. The vulnerability was discovered during an investigation into CVE-2026-20127, which had also been exploited in the wild. Organizations are advised to review logs for unauthorized access attempts and restrict access to trusted networks. Key Points: • CVE-2026-20182 is a critical authentication bypass vulnerability with a CVSS score of 10.0. • The vulnerability allows unauthenticated attackers to gain administrative access to Cisco SD-WAN systems. • Cisco has added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog, urging immediate patching.

Key Entities

  • Uat-8616 (apt_group)
  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • Rapid7 (company)
  • CVE-2022-20775 (cve)
  • CVE-2026-20122 (cve)
  • CVE-2026-20127 (cve)
  • CVE-2026-20128 (cve)
  • CVE-2026-20133 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • message.no (domain)
  • replit.dev (domain)
  • Government (industry)
  • 194.163.175.135 (ipv4)
  • 212.83.162.37 (ipv4)
  • 23.27.143.170 (ipv4)
  • 71.80.85.135 (ipv4)
  • 83.229.126.195 (ipv4)
  • Behinder (malware)
  • GodZilla (malware)
  • Nimplant (malware)
  • XenShell (malware)
  • XMRig (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.001 - Remote Desktop Protocol (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • Cisco Catalyst Sd-wan (platform)
  • Cisco Catalyst Sd-wan Controller (platform)
  • Cisco Catalyst Sd-wan Controllers (platform)
  • Cisco Catalyst Sd-wan Manager (platform)
  • AdaptixC2 (tool)
  • GSocket (tool)
  • KScan (tool)
  • Metasploit (tool)
  • QScan (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed