Exploitation of Authentication Bypass Vulnerability in Cisco SD-WAN Systems
TL;DR
Talos is monitoring the exploitation of an authentication bypass vulnerability, CVE-2026-20182, affecting Cisco Catalyst SD-WAN Controller and Manager, allowing unauthorized remote access to administrative privileges. Additionally, associated clusters of malicious activities involving the deployment of webshells and other tools have been reported.
Main Analysis
Cisco Talos has identified active exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN systems, enabling attackers to bypass authentication procedures and gain administrative access. This vulnerability is particularly concerning as it allows unauthenticated attackers to operate as if they are internal users, significantly increasing the risk of internal network compromises. Evidence indicates that a sophisticated actor, identified as UAT-8616, is behind these exploit attempts, leveraging previously exploited vulnerabilities for additional unauthorized activities, including adding SSH keys and modifying configurations.
The report highlights a notable uptick in exploitation attempts utilizing a combination of vulnerabilities—CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122—alongside newly discovered methods seen in exploits since March 2026. The attackers’ activities often result in the deployment of various webshells, including “XenShell,” derived from proof-of-concept code released by ZeroZenX Labs. Figures illustrating the deployment of these shells indicate the evolving tactics utilized by different clusters of threat actors.
In addition to authentication bypass attempts, Talos has noted several clusters of post-compromise activities featuring different types of malicious tools, from credential stealers to cryptocurrency miners. Each cluster exhibits tailored methods for exploitation and post-compromise actions, such as deploying behaviors that obscure their presence or manipulate system operations.
Defensive Context
Organizations leveraging Cisco SD-WAN technology must prioritize awareness of the vulnerabilities CVE-2026-20182, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, particularly those with unpatched systems. Entities managing Cisco environments should monitor for signs of unauthorized access attempts or changes within their configurations, especially if they are utilizing outdated software.
Why This Matters
The successful exploitation of these vulnerabilities poses a real risk to organizations relying on Cisco’s SD-WAN infrastructure, particularly those with limited visibility into internal operational integrity. Businesses that have not implemented recent updates or monitoring solutions are likely to be at risk.
Defender Considerations
Defenders should focus on enforcing immediate patches for CVE-2026-20182 and associated vulnerabilities outlined in Cisco’s security advisory. Continuous monitoring for the described IP addresses linked to exploit activities, as well as behavioral patterns associated with webshell deployments, will be crucial in mitigating the risk. Additionally, vigilance against credential exfiltrations and escalation attempts should be heightened.
Indicators of Compromise (IOCs)
- IPs: 38.181.52[.]89, 89.125.244[.]33, 71.80.85[.]135, 38.60.214[.]92, 194.233.100[.]40.
- Malicious filenames associated with webshells include “sysv.jsp,” “conf.jsp,” and “20251117022131.jsp.”
- CVE IDs include CVE-2026-20182, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122.
