The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026.
The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It’s rated 10.0 on the CVSS scoring system, indicating maximum severity.
“Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” CISA said.
In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
“UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.”
It’s assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026.
The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA’s KEV catalog last month.
The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell has been codenamed XenShell owing to the use of a PoC released by ZeroZenX Labs.
At least 10 different clusters have been linked to the exploitation of the three flaws –
- Cluster 1 (Active since at least March 6, 2026), which deploys the Godzilla web shell
- Cluster 2 (Active since at least March 10, 2026), which deploys the Behinder web shell
- Cluster 3 (Active since at least March 4, 2026), which deploys the XenShell web shell and a variant of Behinder
- Cluster 4 (Active since at least March 3, 2026), which deploys a variant of the Godzilla webshell
- Cluster 5 (Active since at least March 13, 2026), which malware agent compiled off the AdaptixC2 red teaming framework
- Cluster 6 (Active since at least March 5, 2026), which deploys the Sliver command-and-control (C2) framework
- Cluster 7 (Active since at least March 25, 2026), which deploys an XMRig miner
- Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
