CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html
Publish Date: 2026-05-15 01:28:00
Source Domain: thehackernews.com
The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026.
The vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It’s rated 10.0 on the CVSS scoring system, indicating maximum severity.
“Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” CISA said.
In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
“UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.”
It’s assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026.
The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA’s KEV catalog last month.
The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One…
