Cisco on Thursday introduced the provision of patches for yet one more important SD-WAN zero-day vulnerability that has been exploited in assaults. It’s the sixth SD-WAN flaw whose exploitation got here to gentle in 2026.
The brand new SD-WAN zero-day is tracked as CVE-2026-20182, and it has been described by Cisco as an authentication bypass vulnerability that may enable a distant attacker to realize admin privileges on the focused system through specifically crafted packets.
The vulnerability impacts the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (previously SD-WAN vSmart) and Cisco Catalyst SD-WAN Supervisor (previously SD-WAN vManage).
Cisco mentioned it turned conscious of lively exploitation in Could, and the corporate’s Talos risk intelligence and analysis group revealed that CVE-2026-20182 seems to have been exploited in restricted assaults by a risk actor it tracks as UAT-8616.
UAT-8616 has been described by Talos researchers as a extremely refined group, however its motivation and potential connections to a particular nation or recognized group haven’t been revealed.
The identical risk actor beforehand exploited CVE-2026-20127 to realize unauthorized entry to SD-WAN programs.
“UAT-8616 tried so as to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Our findings point out that the infrastructure utilized by UAT-8616 to hold out exploitation and post-compromise actions additionally overlaps with the Operational Relay Field (ORB) networks that Talos screens intently,” Talos defined.
Rapid7 has been credited for reporting CVE-2026-20182 to Cisco. The cybersecurity agency, which shared the technical particulars with the seller on March 9, mentioned it found the weak point throughout an evaluation of CVE-2026-20127, noting that they’re totally different flaws affecting the identical part.
Rapid7 disclosed particulars of the vulnerability on Thursday, and Cisco has made indicators of compromise (IoCs) out there to assist corporations detect potential assaults.
CISA has added CVE-2026-20182 to its KEV catalog, instructing federal companies to handle it inside three days.
The KEV listing at the moment contains 15 Cisco SD-WAN vulnerabilities, 5 of which had been found this 12 months. Along with CVE-2026-20182, the opposite flaws are tracked as CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, and CVE-2026-20127.
An older SD-WAN vulnerability, CVE-2022-20775, was additionally flagged as exploited within the wild this 12 months, alongside CVE-2026-20127.
Cisco Talos on Thursday described 10 exercise clusters noticed exploiting SD-WAN vulnerabilities to ship cryptocurrency miners, credential stealers, backdoors, webshells, and different malware and hacking instruments.
