Cisco has released emergency security updates to address another zero-day vulnerability affecting its Catalyst SD-WAN Controller and Manager products. Tracked as CVE-2026-20182, the authentication bypass flaw has been actively exploited by a highly sophisticated cyber threat actor group that Cisco tracks as UAT-8616. This marks the second such zero-day discovered in the SD-WAN product line this year, following CVE-2026-20127, which was patched earlier in 2026.

Nature of the Vulnerability

CVE-2026-20182 stems from a flawed peering authentication mechanism within the 'vdaemon' service, which runs on both the Catalyst SD-WAN Controller (the centralized brain of the SD-WAN solution) and the Catalyst SD-WAN Manager (the management plane for the entire SD-WAN fabric). The vulnerability affects both on-premises and cloud deployments. An unauthenticated attacker can exploit this issue by sending specially crafted requests over DTLS (Datagram Transport Layer Security) on UDP port 12346, the same service that was vulnerable to CVE-2026-20127.

The flaw allows an attacker to become an authenticated peer of the target appliance. Once authenticated, the attacker can perform privileged operations, such as injecting an attacker-controlled public key into the vmanage-admin user account's authorized SSH keys file. With this key, the attacker can log in to the NETCONF service (SSH over TCP port 830) and issue arbitrary NETCONF commands to reconfigure the entire SD-WAN fabric. This level of access could allow the attacker to intercept traffic, disrupt connectivity, or establish persistent backdoors into the network.

Discovery and Attribution

The vulnerability was reported to Cisco by Rapid7 researchers Jonah Burgess and Stephen Fewer, who discovered it while investigating CVE-2026-20127. The researchers noted that the new issue is located in a similar part of the vdaemon networking stack and has the same impact as the previous bypass. Cisco's threat analysts connected the exploitation of both vulnerabilities to UAT-8616, a group that has been observed leveraging these flaws in targeted attacks.

In previously detected attacks, UAT-8616 escalated their privileges to root by downgrading the SD-WAN software version to an older release and exploiting an older privilege escalation vulnerability (CVE-2022-20775). After gaining root access, the attackers restored the original software version to avoid detection. Cisco did not speculate on the group's origin but noted that the infrastructure used by UAT-8616 overlaps with Operational Relay Box (ORB) networks, which are known to be used by China-nexus threat actors for espionage operations, according to Google Mandiant researchers.

Impact and Mitigation

Cisco has stated that exploitation of CVE-2026-20182 appears to be limited so far, but the company has not specified which organizations are likely to have been targeted. The company strongly advises all customers to upgrade to a fixed software release as soon as possible. Additionally, customers should review SD-WAN Controller logs for entries related to 'Accepted publickey for vmanage-admin' from unknown or unauthorized IP addresses. Cisco's Technical Assistance Center can assist in investigations.

The patch also addresses three other vulnerabilities in the Cisco Catalyst SD-WAN Manager: an information disclosure flaw (CVE-2026-20224) and two privilege escalation vulnerabilities (CVE-2026-20209 and CVE-2026-20210). These are not known to have been exploited in the wild.

Ongoing Exploitation Activity

Cisco Talos researchers have published indicators of compromise and detailed information on ongoing attacks exploiting three other SD-WAN CVEs (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) in the Catalyst SD-WAN Manager. According to Talos, the vast majority of observed exploitation attempts involved the use of proof-of-concept code from ZeroZenX Labs and a JavaServer Pages (JSP) shell named 'XenShell.' The analysts observed several other JSP-based webshell variants. Once the attacker successfully exploited the system, the webshells allowed execution of arbitrary bash commands on the affected device.

Historical Context and Recommendations

The series of vulnerabilities in Cisco's SD-WAN products highlights the complexity of securing modern networking infrastructure. SD-WAN solutions are central to enterprise connectivity, making them high-value targets for advanced persistent threat groups. The authentication bypass vector, in particular, undermines the core trust model of the SD-WAN fabric. As Cisco and researchers continue to uncover new flaws, the importance of timely patching and proactive monitoring cannot be overstated.

Organizations using Cisco Catalyst SD-WAN Controller and Manager should prioritize upgrading to the latest software versions. They should also implement network segmentation, restrict access to management interfaces, and enable detailed logging. For those who suspect compromise, forensic analysis of logs and consultation with cybersecurity experts are recommended. The cybersecurity community will be watching for further activity from UAT-8616 and similar groups, as the tools and techniques used in these attacks often evolve quickly.

Cisco has also emphasized that customers should regularly review security advisories and subscribe to alerts to stay informed about emerging threats. The company has not yet released a timeline for when the remaining unpatched issues in the SD-WAN Manager will be addressed, but the successful exploitation of these flaws demonstrates the need for continuous vigilance. As the threat landscape intensifies, vendors and defenders must work together to close these security gaps before they can be weaponized.

Source: Help Net Security News