CISA Adds Critical Cisco SD-WAN Flaw CVE-2026-20182 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20182, a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated a perfect 10.0 on the CVSS scoring system, allows unauthenticated remote attackers to bypass authentication and gain administrative privileges on affected systems. Federal Civilian Executive Branch (FCEB) agencies must remediate the issue by May 17, 2026. Organizations can use tools like port scanners to identify exposed Cisco SD-WAN deployments in their infrastructure.

Cisco Talos has attributed active exploitation of CVE-2026-20182 with high confidence to threat actor UAT-8616, the same cluster previously observed weaponizing CVE-2026-20127 against SD-WAN systems. Following successful exploitation, UAT-8616 performed consistent post-compromise actions including adding SSH keys, modifying NETCONF configurations, and escalating to root privileges. The threat actor's infrastructure overlaps with Operational Relay Box (ORB) networks, with Cisco researchers identifying at least 10 different clusters actively exploiting CVE-2026-20182 along with related flaws CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026. Security teams should consider running a VPN/proxy detector to identify potential malicious relay infrastructure.

The exploitation chain enables remote unauthenticated attackers to gain unauthorized device access and deploy various web shells. Observed payloads include the Godzilla web shell, Behinder web shell, and XenShell—a JSP-based web shell derived from a ZeroZenX Labs proof-of-concept. Additional malware includes the AdaptixC2-based agent, Sliver command-and-control framework, XMRig cryptocurrency miner, and a Nim-based backdoor paired with KScan asset mapping tool. Organizations should leverage tools like SSL/TLS checkers to ensure proper encryption is enforced on management interfaces and validate their security posture with a comprehensive privacy checkup.