CISA Adds Cisco SD-WAN Authentication Bypass to KEV Catalog; Federal Agencies Face May 17 Remediation Deadline

TL;DR CISA added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller and Manager (CVSS 10.0), to its Known Exploited Vulnerabilities catalog on May 14. The flaw allows unauthenticated remote attackers to gain administrative access. Federal agencies must remediate by May 17. Active exploitation is attributed to UAT-8616, with at least 10 additional threat clusters exploiting related SD-WAN vulnerabilities since March.

What happened

On May 14, 2026, CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities catalog following active in-the-wild exploitation. The vulnerability affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. CVE-2026-20182 is an authentication bypass flaw rated 10.0 on the CVSS scale, allowing unauthenticated remote attackers to bypass authentication mechanisms and obtain administrative privileges on affected systems.

Cisco attributed active exploitation of CVE-2026-20182 with high confidence to UAT-8616, a threat cluster previously observed weaponizing CVE-2026-20127 against SD-WAN infrastructure. Post-compromise activity attributed to UAT-8616 includes SSH key injection, NETCONF configuration modification, and privilege escalation to root. The infrastructure used by this cluster overlaps with Operational Relay Box (ORB) networks.

Beyond UAT-8616, Cisco identified at least 10 distinct threat clusters exploiting three related SD-WAN vulnerabilities—CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122—since March 2026. These three flaws, when chained, permit remote unauthenticated access to affected devices. All three were added to CISA's KEV catalog in April 2026.

Attacker activity leverages publicly available proof-of-concept exploit code to deploy web shells, enabling execution of arbitrary bash commands. A JSP-based web shell designated XenShell has been observed, named after proof-of-concept code released by ZeroZenX Labs. Other web shells deployed include Godzilla, Behinder, and variants thereof.

The 10 identified clusters show distinct tooling and objectives. Cluster 1 (active since March 6) deploys Godzilla. Cluster 2 (March 10) deploys Behinder. Cluster 3 (March 4) uses XenShell and a Behinder variant. Cluster 4 (March 3) deploys a Godzilla variant. Cluster 5 (March 13) uses a malware agent compiled from the AdaptixC2 red teaming framework. Cluster 6 (March 5) deploys the Sliver command-and-control framework. Cluster 7 (March 25) deploys XMRig miner. Cluster 8 (March 10) uses KScan asset mapping and a Nim-based backdoor with file operation and information collection capabilities. Cluster 9 (March 17) deploys XMRig and gsocket, a peer-based proxying and tunneling tool. Cluster 10 (March 13) deploys a credential stealer targeting admin hashdumps, JWT key chunks for REST API authentication, and AWS credentials for vManage.

Why it matters

For defenders in Morocco and the MENA region, CVE-2026-20182 represents immediate risk to any SD-WAN infrastructure using affected Cisco products. The 10.0 CVSS score and confirmed active exploitation mean this vulnerability is not theoretical.

SD-WAN controllers and managers are critical network chokepoints. Compromise grants attackers administrative control over WAN segmentation, routing, and policy enforcement—enabling lateral movement, data exfiltration, and persistent access across branch networks. For federal agencies under FCEB mandate, the May 17 deadline is legally binding.

The diversity of payloads deployed (web shells, C2 frameworks, cryptominers, credential stealers, and tunneling tools) indicates multiple adversaries are competing for access to compromised devices. Organizations outside the U.S. federal sector should treat this as an urgent, unforced timeline window: patch before opportunistic mass-scanning exploits accelerate.

The observed overlap between UAT-8616 infrastructure and ORB networks may signal coordination or shared hosting, though the exact relationship is not detailed in public guidance.

Affected systems and CVEs

Cisco Catalyst SD-WAN Controller — CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122
Cisco Catalyst SD-WAN Manager — CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122

What to do

Follow Cisco's published advisories and remediation guidance for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122.
Prioritize patching of Cisco Catalyst SD-WAN Controller and Manager instances; federal agencies have until May 17, 2026. Organizations outside the U.S. federal sector should assume similar urgency given active exploit availability.
Monitor for post-compromise indicators: SSH key addition, NETCONF configuration changes, unexpected privilege escalation, web shell uploads (particularly JSP files), and lateral movement via tunneling tools (gsocket) or C2 frameworks.
Review network segmentation and access controls around SD-WAN management interfaces; restrict administrative access to trusted networks where operationally feasible.
Check for indicators of compromise from the 10 identified clusters: unusual process execution (XMRig, gsocket, KScan), web shell artifacts, credential access tool execution, and C2 callbacks to known Sliver or AdaptixC2 infrastructure.

Open questions

Specific patch or update version numbers for CVE-2026-20182 remediation are not provided in available guidance; organizations must consult Cisco advisories directly.
Whether Cisco has published a consolidated patch addressing all five vulnerabilities, or separate updates are required.
The technical mechanism by which CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain together; the advisory does not detail exploitation prerequisites or required system state.
Whether UAT-8616's infrastructure overlap with ORB represents direct attribution or opportunistic reuse of compromised hosting.
Geographic distribution, targeting preferences, or secondary objectives of the 10 clusters remain unspecified.
Scope of affected Cisco SD-WAN deployments outside U.S. federal agencies and their patch adoption timeline.
Whether additional threat actors beyond the 10 clusters are exploiting these vulnerabilities.