Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Thursday, May 14, 2026 12:02

• Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
• Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
• The exploitation of CVE-2026-20182 appears to have been limited so far and Talos clusters this activity under UAT-8616 with high confidence.
• Talos is also aware of a series of threat actors, distinct from UAT-8616, that have been observed to be exploiting a different, previously disclosed set of vulnerabilities, in a new way than previously identified, beginning March 2026 - specifically CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122. It is important to note that those vulnerabilities are distinct from and pre-date CVE-2026-20182. Cisco released software updates and a security advisory addressing those vulnerabilities in February 2026, strongly recommending customers to upgrade.
• We have identified multiple clusters of post-compromise activity, beginning March 2026, associated with the exploitation of CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 that deployed webshells and other malicious tooling, described in this post.
• We observed the vast majority of this exploitation involved the use of ZeroZenX labs’ proof-of-concept and accompanying JSP-based webshell which we track as “XenShell.”…