Back

Critical Zero-Day Vulnerability CVE-2026-20182 Exploited in Cisco SD-WAN Systems

Severity: Critical (Score: 87.2)

Sources: Csa.Sg, www.rapid7.com, nvd.nist.gov, Cyberscoop, Blog.Talosintelligence

Summary

Cisco has disclosed a critical authentication bypass vulnerability, CVE-2026-20182, affecting its Catalyst SD-WAN Controller and Manager. This flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges, enabling manipulation of network configurations. The vulnerability has a CVSS score of 10.0 and is actively exploited in the wild by a threat actor known as UAT-8616, who previously exploited a similar vulnerability, CVE-2026-20127. Cisco became aware of the exploitation in May 2026 and has released patches to address the issue. Organizations are urged to apply these updates immediately, as there are no effective workarounds. The vulnerability impacts all deployment types of the Cisco Catalyst SD-WAN, including cloud and on-premises solutions. Security advisories have been issued to monitor for unauthorized access attempts. Key Points: • CVE-2026-20182 is a critical authentication bypass vulnerability with a CVSS score of 10.0. • The vulnerability allows unauthenticated attackers to gain administrative access to Cisco SD-WAN systems. • Active exploitation is linked to the threat actor UAT-8616, who previously exploited similar vulnerabilities.

Key Entities

  • Uat-8616 (apt_group)
  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • Cisco (company)
  • Rapid7 (company)
  • CVE-2022-20775 (cve)
  • CVE-2026-20122 (cve)
  • CVE-2026-20127 (cve)
  • CVE-2026-20128 (cve)
  • CVE-2026-20133 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • Cwe-611 - Improper Restriction Of XML External Entity Reference (xxe) (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • message.no (domain)
  • replit.dev (domain)
  • Government (industry)
  • 194.163.175.135 (ipv4)
  • 212.83.162.37 (ipv4)
  • 23.27.143.170 (ipv4)
  • 71.80.85.135 (ipv4)
  • 83.229.126.195 (ipv4)
  • Behinder (malware)
  • GodZilla (malware)
  • Nimplant (malware)
  • XenShell (malware)
  • XMRig (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.001 - Remote Desktop Protocol (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • Cisco Catalyst Sd-wan (platform)
  • Cisco Catalyst Sd-wan Controller (platform)
  • Cisco Catalyst Sd-wan Controllers (platform)
  • Cisco Catalyst Sd-wan Manager (platform)
  • Cisco IOS XE Sd-wan (platform)
  • AdaptixC2 (tool)
  • GSocket (tool)
  • KScan (tool)
  • Metasploit (tool)
  • QScan (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed