Aggregator

You must login to view this content

Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2026-20182, which has been exploited as a zero-day by a sophisticated threat actor.

1. CVE-2026-20182 is a critical (CVSSv3 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager disclosed on May 14 with confirmed active exploitation.
2. A sophisticated threat actor designated UAT-8616 has exploited Cisco SD-WAN vulnerabilities since at least 2023, and 10 additional threat clusters began exploitation of multiple vulnerabilities in SD-WAN after public proof-of-concept code became available.
3. Patches are available for all supported Cisco Catalyst SD-WAN releases and CISA has mandated remediation by May 17 under Emergency Directive 26-03.

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the ongoing exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager.

When were these Cisco SD-WAN vulnerabilities first disclosed?

On February 25, 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that was already being exploited in the wild at the time of disclosure. Alongside that advisory, Cisco also released patches for three additional vulnerabilities in SD-WAN Manager: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The security advisory for these CVEs (cisco-sa-sdwan-authbp-qwCX8D4v) was updated in March to confirm exploitation of CVE-2026-20128 and CVE-2026-20122 and then again in April to confirm that CVE-2026-20133 had also been exploited.

On May 14, 2026, Cisco published a new advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for CVE-2026-20182, a separate critical authentication bypass vulnerability that was discovered during the investigation into the earlier exploitation. This vulnerability is also under active exploitation.

What are the vulnerabilities associated with the Cisco SD-WAN exploitation?

There are five CVEs associated with this ongoing campaign, plus one older vulnerability used for post-compromise privilege escalation:

Both CVE-2026-20182 and CVE-2026-20127 are critical-severity flaws that enable remote, unauthenticated access to administrative functions due to broken peering authentication logic. CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, when chained together, allow a remote unauthenticated attacker to gain access to the SD-WAN Manager.

What products are affected?

The following table lists the CVEs and affected devices. None of these vulnerabilities require specific device configurations to be exploitable, and all deployment models are affected:

How severe is the exploitation?

Successful exploitation of CVE-2026-20182 or CVE-2026-20127 provides access to a privileged (but non-root) internal account on the SD-WAN Controller. That access opens NETCONF, giving the attacker the ability to alter network configuration across the entire SD-WAN fabric. In observed attacks, the threat actor UAT-8616 then leveraged CVE-2022-20775 via a software version downgrade technique to escalate privileges to root.

Post-compromise activities observed by Cisco Talos include SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to cover tracks.

Who is UAT-8616?

UAT-8616 is a designation assigned by Cisco Talos to a “highly sophisticated cyber threat actor” that has been exploiting Cisco SD-WAN infrastructure since at least 2023. According to Cisco Talos, UAT-8616 targets critical infrastructure sectors and its infrastructure overlaps with monitored Operational Relay Box (ORB) networks.

UAT-8616 exploits CVE-2026-20182 and CVE-2026-20127 for initial access, then, in the case of CVE-2026-20127 exploitation, performs software version downgrades to expose CVE-2022-20775 for root privilege escalation. After achieving root access, the actor restores the original software version to conceal the exploitation path. Additional persistence techniques include injecting SSH keys into authorized_keys files, enabling PermitRootLogin in the SSH daemon configuration, and clearing forensic evidence from syslog, wtmp, lastlog, bash_history and cli-history files.

Are there other threat actors exploiting these vulnerabilities?

Yes. Cisco Talos has identified 10 additional threat clusters that are distinct from UAT-8616. These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs. The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.

Are proofs-of-concept (PoCs) available?

Yes. ZeroZenX Labs published proof-of-concept code for the CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 exploit chain in March 2026. This PoC release directly correlated with the surge in exploitation activity across multiple threat clusters. The availability of public PoC code highlights the risk to any exposed SD-WAN infrastructure that remains unpatched.

What actions has CISA taken?

CISA has taken multiple actions in response to the Cisco SD-WAN exploitation campaign:

• February 25, 2026: Added CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog
• April 20, 2026: Added CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to the KEV catalog
• May 14, 2026: Added CVE-2026-20182 to the KEV catalog with an action deadline of May 17, 2026
• May 14, 2026: Issued Emergency Directive 26-03 and published Hunt & Hardening Guidance for Cisco SD-WAN Devices

All five CVEs in this campaign are now in CISA's KEV catalog.

Are patches available?

Cisco has released patches for each of the vulnerabilities discussed in this blog. We recommend reviewing the security advisories issued by Cisco for each CVE to identify the patch release and any considerations that may apply in order to apply the patches successfully.

Are there indicators of compromise (IoC)?

Cisco has published detailed IoC information across its advisories and Talos blog posts. The indicators include:

• Log evidence: Check /var/log/auth.log for "Accepted publickey for vmanage-admin" entries from unknown or unauthorized IP addresses
• Control connection anomalies: Run show control connections detail or show control connections-history detail and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peering
• Post-compromise artifacts: Unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys/, PermitRootLogin enabled in /etc/ssh/sshd_config, unexplained software downgrades followed by reboots

Full IoC lists including C2 server IPs, malware file hashes, and attacker source IPs are available in the Cisco Talos blog.

Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?

Yes. CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 have been classified as Vulnerabilities of Interest under Vulnerability Watch due to confirmed active exploitation and the availability of public proof-of-concept code. Tenable has been tracking this cluster of vulnerabilities since the original disclosure in February 2026, with watches re-established as exploitation escalated in March and again in May 2026 when CVE-2026-20182 was disclosed.

Has Tenable released product coverage?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN.

• Cisco Security Advisory: cisco-sa-sdwan-rpa2-v69WY2SW
• Cisco Talos: SD-WAN Ongoing Exploitation
• Cisco Talos: UAT-8616 SD-WAN Campaign
• Tenable blog: CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

You must login to view this content

You must login to view this content

You must login to view this content

You must login to view this content