Cisco zero-day under ongoing attack by persistent threat group
Cisco zero-day under ongoing attack by persistent threat group
https://cyberscoop.com/cisco-sd-wan-zero-day-exploited/
Publish Date: 2026-05-15 10:12:00
Source Domain: cyberscoop.com
Attackers returned once again to a common target with a massive user base by exploiting a max-severity zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager.
The threat group behind the “limited” number of attacks Cisco is aware of thus far are also linked to a series of previously disclosed vulnerabilities in the vendor’s firewalls and SD-WAN systems, the company said in a threat advisory Thursday.
The authentication bypass vulnerability — CVE-2026-20182 — has a CVSS rating of 10 and “behaves like a master key,” Douglas McKee, director of vulnerability intelligence at Rapid7, wrote in a blog post.
“An attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without properly validating it, they can obtain the highest level of administrative access,” he added. “That is the cybersecurity version of a Jedi mind trick.”
Rapid7 discovered and reported the vulnerability to Cisco on March 9, and Cisco said it became aware of limited exploitation of the vulnerability earlier this month. The vendor disclosed and released a patch for the vulnerability Thursday, and the Cybersecurity and Infrastructure Security Agency quickly added the defect to its known exploited vulnerabilities catalog.
Cisco did not explain what occurred during that two-month window. Yet, the disclosure and warning from researchers marks another challenge for Cisco customers that have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February.
Cisco isn’t the only security vendor facing an onslaught of attacks on its customers, but it is among the most heavily targeted. CISA has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog in less than three months.
Cisco Talos researchers attributed the latest round of zero-day attacks to UAT-8616,…
