Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

Briefly

"Cisco said it became aware of active exploitation in May, and the company's Talos threat intelligence and research group revealed that CVE-2026-20182 appears to have been exploited in limited attacks by a threat actor it tracks as UAT-8616. UAT-8616 has been described by Talos researchers as a highly sophisticated group, but its motivation and potential connections to a specific country or known group have not been revealed."

"The new SD-WAN zero-day is tracked as CVE-2026-20182, and it has been described by Cisco as an authentication bypass vulnerability that can allow a remote attacker to gain admin privileges on the targeted system via specially crafted packets. The vulnerability affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)."

""UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Our findings indicate that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities also overlaps with the Operational Relay Box (ORB) networks that Talos monitors closely," Talos explained."

"Rapid7 has been credited for reporting CVE-2026-20182 to Cisco. The cybersecurity firm, which shared the technical details with the vendor on March 9, said it discovered the weakness during an analysis of CVE-2026-20127, noting that they are different flaws affecting the same component. Rapid7 disclosed details of the vulnerability on Thursday, and Cisco has made indicators of compromise (IoCs) available to help companies detect poten"