The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability affecting Cisco Catalyst SD-WAN controllers to its Known Exploited Vulnerabilities (KEV) catalog and asked federal civilian executive branch (FCEB) agencies to fix the issue by May 17, 2026.
This vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It is rated 10.0 in the CVSS scoring system, indicating maximum severity.
“An authentication bypass vulnerability exists in Cisco Catalyst SD-WAN Controllers and Managers that could allow an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on affected systems,” CISA said.
In a separate advisory, Cisco attributed active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
“UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, similar to what was observed with the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 added SSH keys, changed NETCONF settings, and attempted to elevate to root privileges.”
The infrastructure used by UAT-8616 to perform its exploits and post-compromise activities is assessed to overlap with Operational Relay Box (ORB) networks, and the cybersecurity firm has also observed multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026.
The chaining of three vulnerabilities could allow a remote, unauthenticated attacker to gain unauthorized access to the device. These were added to CISA’s KEV catalog last month.
The campaign was found to leverage publicly available proof-of-concept exploit code to deploy a web shell on hacked systems, allowing operators to execute arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell is code-named XenShell due to the use of a PoC released by ZeroZenX Labs.
At least 10 different clusters are associated with exploitation of the three flaws.
Cluster 1 (active since at least March 6, 2026), deploys the Godzilla web shell Cluster 2 (active since at least March 10, 2026), deploys the Behiner web shell Cluster 3 (active since at least March 4, 2026), deploys the XenShell web shell and a variant of Behinder Cluster 4 (active since at least March 3) Cluster 5 (active since at least March 13, 2026), deploys a variant of the Godzilla Webshell Cluster 5 (active since at least March 13, 2026), this malware agent was compiled from the AdaptixC2 Red Team framework Cluster 6 (active since at least March 5, 2026), deploys the Sliver command and control (C2) framework Cluster 7 (active since at least March 5, 2026), deploys a variant of the Godzilla Webshell Cluster 8 (active since at least March 10, 2026) deploys the XMRig miner, the KScan asset mapping tool, and a Nim-based backdoor, possibly based on NimPlant, with the ability to perform file operations, execute files using bash, and collect system information. Cluster 9 (active since at least March 17, 2026). Deploy the XMRig miner and peer-based proxy. A tunneling tool called gsocket Cluster 10 (active since at least March 13, 2026). This deploys a hashdump of the admin user, the JSON Web Token (JWT) key chunk used for REST API authentication, and a credential stealer that attempts to retrieve AWS credentials for vManage.
Cisco recommends that customers follow the guidance and recommendations outlined in the aforementioned vulnerability advisories to protect their environments.
Source link
