CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Cisco SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild involving full administrative takeover attempts.

The flaw affects the Cisco Catalyst SD-WAN Controller and Manager and allows unauthenticated attackers to bypass authentication and gain administrative control of impacted systems.

Critical Authentication Bypass Enables Full Device Compromise

Tracked as CVE-2026-20182, the vulnerability carries a maximum CVSS score of 10.0, reflecting its severity and potential impact on enterprise networks.

The issue impacts the Cisco Catalyst SD-WAN Controller and Manager, part of Cisco SD-WAN infrastructure used by organizations to manage large-scale network connectivity and routing policies.

According to CISA, attackers can exploit the flaw remotely without authentication to gain full administrative privileges over affected systems.

Active Exploitation Linked to Advanced Threat Cluster

Cisco has attributed the exploitation activity with high confidence to a threat cluster tracked as UAT-8616, which has also been associated with previous SD-WAN-related intrusions.

Security researchers at Cisco Talos reported that the same threat actor has been observed performing post-compromise actions including SSH key injection, configuration changes, and privilege escalation to root access.

Attackers Using Exploit Chains and Public Tools

Investigators found that attackers are leveraging publicly available proof-of-concept (PoC) exploit code to accelerate intrusion efforts. Once inside, they deploy web shells to maintain access and execute remote commands.

One of the web shells observed in the campaign, referred to as XenShell, is based on publicly released exploit tooling and allows attackers to run arbitrary system commands on compromised devices.

Multiple Attack Clusters Targeting SD-WAN Infrastructure

Security teams have identified at least ten distinct attacker clusters exploiting related Cisco SD-WAN vulnerabilities. These clusters demonstrate a wide range of post-exploitation activity, including:

• Deployment of web shells such as Godzilla, Behinder, and XenShell
• Use of remote access frameworks like Sliver and AdaptixC2
• Installation of cryptocurrency miners (XMRig)
• Credential theft targeting JWT tokens, SSH keys, and AWS credentials
• Use of tunneling and proxy tools such as gsocket
• System reconnaissance using asset discovery tools like KScan
• Deployment of custom Nim-based backdoors

These operations indicate a highly active and diverse threat ecosystem targeting SD-WAN infrastructure globally.

Exploitation Also Involves Vulnerability Chaining

Cisco notes that CVE-2026-20182 is not the only flaw under attack. Additional vulnerabilities in the same product family have been chained together in earlier campaigns to achieve unauthenticated remote access and system compromise.

Some of these vulnerabilities were previously added to the CISA KEV catalog due to confirmed exploitation.

CISA Issues Urgent Remediation Deadline

Following confirmation of active exploitation, CISA has mandated federal agencies to remediate the vulnerability by May 17, 2026, under its KEV compliance requirements.

The agency has urged all organizations using affected Cisco SD-WAN products to apply security updates and follow Cisco’s mitigation guidance immediately.

Conclusion

The exploitation of CVE-2026-20182 highlights the growing risk posed by authentication bypass vulnerabilities in network infrastructure platforms. With attackers actively deploying web shells, stealing credentials, and chaining multiple flaws, organizations are urged to prioritize patching and hardening SD-WAN environments.