"Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. The vulnerability is tracked as CVE-2026-20182 and has a CVSS score of 10.0, indicating maximum severity. CISA added the issue to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to remediate by May 17, 2026."
"UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor. UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Cisco Talos linked the active exploitation of CVE-2026-20182 with high confidence to this cluster."
"It's assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA's KEV catalog last month."
"The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell h"
CISA added a newly disclosed Cisco Catalyst SD-WAN Controller vulnerability to its Known Exploited Vulnerabilities catalog. The flaw, CVE-2026-20182, is rated 10.0 and enables an unauthenticated remote attacker to bypass authentication and obtain administrative privileges. CISA required Federal Civilian Executive Branch agencies to remediate by May 17, 2026. Cisco attributed active exploitation of CVE-2026-20182 with high confidence to threat cluster UAT-8616, which performed similar post-compromise actions previously linked to CVE-2026-20127. UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Overlapping infrastructure with Operational Relay Box networks was assessed, and multiple clusters were observed exploiting related vulnerabilities beginning March 2026. Chaining CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 can enable remote unauthenticated access. Public proof-of-concept exploit code was used to deploy web shells and run arbitrary bash commands.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]