The U.S.Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) businesses to remediate the problem by Might 17, 2026.
The vulnerability is a vital authentication bypass tracked as CVE-2026-20182. It is rated 10.0 on the CVSS scoring system, indicating most severity.
“Cisco Catalyst SD-WAN Controller and Supervisor comprise an authentication bypass vulnerability that enables an unauthenticated, distant attacker to bypass authentication and procure administrative privileges on an affected system,” CISA mentioned.
In a separate advisory, Cisco attributed the energetic exploitation of CVE-2026-20182 with excessive confidence to UAT-8616, the identical cluster behind the weaponization of CVE-2026-20127 to achieve unauthorized entry to SD-WAN techniques.
“UAT-8616 carried out comparable post-compromise actions after efficiently exploiting CVE-2026-20182, as was noticed within the exploitation of CVE-2026-20127 by the identical risk actor,” Cisco Talos mentioned. “UAT-8616 tried so as to add SSH keys, modify NETCONF configurations, and escalate to root privileges.”
It is assessed that the infrastructure utilized by UAT-8616 to hold out exploitation and post-compromise actions overlaps with Operational Relay Field (ORB) networks, with the cybersecurity firm additionally observing a number of risk clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 starting March 2026.
The three vulnerabilities, when chained collectively, can permit a distant unauthenticated attacker to achieve unauthorized entry to the gadget. They had been added to the CISA’s KEV catalog final month.
The exercise has been discovered to leverage publicly out there proof-of-concept exploit code to deploy net shells on hacked techniques, permitting the operators to run arbitrary bash instructions. One such JavaServer Pages (JSP)-based net shell has been codenamed XenShell owing to using a PoC launched by ZeroZenX Labs.
At the very least 10 completely different clusters have been linked to the exploitation of the three flaws –
- Cluster 1 (Lively since a minimum of March 6, 2026), which deploys the Godzilla net shell
- Cluster 2 (Lively since a minimum of March 10, 2026), which deploys the Behinder net shell
- Cluster 3 (Lively since a minimum of March 4, 2026), which deploys the XenShell net shell and a variant of Behinder
- Cluster 4 (Lively since a minimum of March 3, 2026), which deploys a variant of the Godzilla webshell
- Cluster 5 (Lively since a minimum of March 13, 2026), which malware agent compiled off the AdaptixC2 pink teaming framework
- Cluster 6 (Lively since a minimum of March 5, 2026), which deploys the Sliver command-and-control (C2) framework
- Cluster 7 (Lively since a minimum of March 25, 2026), which deploys an XMRig miner
- Cluster 8 (Lively since a minimum of March 10, 2026), which deploys the KScan asset mapping instrument and Nim-based backdoor that is seemingly primarily based on NimPlant and comes with capabilities to carry out file operations, execute recordsdata utilizing bash, and gather system data
- Cluster 9 (Lively since a minimum of March 17, 2026), which deploys an XMRig miner and a peer-based proxying and tunneling instrument referred to as gsocket
- Cluster 10 (Lively since a minimum of Mar 13, 2026), which deploys a credential stealer that makes an attempt to acquire an admin person’s hashdump, JSON Internet Tokens (JWT) key chunks which are used for REST API authentication, and AWS credentials for vManage
Cisco is recommending that clients comply with the steering and proposals outlined within the advisories for the aforementioned vulnerabilities to guard their environments.
