Maximum Severity Cisco SD-WAN Bug Exploited in the Wild TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAttackers Weaponize RubyGems for Data Dead DropsAttackers Weaponize RubyGems for Data Dead DropsbyAlexander CulafiMay 13, 20264 Min ReadСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsСloud SecurityCybersecurity OperationsPerimeterNewsMaximum Severity Cisco SD-WAN Bug Exploited in the WildThis is the second time this year a threat actor has leveraged a CVSS 10.0 vulnerability in Cisco's network control system.Nate Nelson,Contributing WriterMay 14, 20264 Min ReadSource: MTP via Alamy Stock PhotoA highly sophisticated threat actor is exploiting a critical vulnerability in Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Controllers.Rapid7 disclosed CVE-2026-20182, an authentication bypass vulnerability in Cisco's market-leading network management solution. By allowing unauthenticated attackers free rein over one of an organization's most powerful tools, it earned the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS).In an updated blog post today, Rapid7 director of vulnerability intelligence Douglas McKee hammered home just how serious an issue this was. "Attackers have become very good at turning central infrastructure weaknesses into high impact operations," he warned, and for nation-states in particular, "an SD-WAN controller is a great place to do [espionage], because it lives in the middle of trust relationships most organizations rarely question." To avoid sensationalizing, McKee added, "To be fair, not every bug turns into Internet-wide exploitation overnight."Related:'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux DistrosIn fact, CVE-2026-20182 had been exploited overnight. In a separate publication that same day, researchers at Cisco Talos flagged that a group it tracks as UAT-8616 has already gotten to it.Hackers Leverage Critical Bugs in Cisco CatalystNot only is CVE-2026-20182 not the first vulnerability discovered in Cisco Catalyst this year, it isn't even the first authentication bypass vulnerability with a "critical" 10 score on the CVSS scale.Back in February, Cisco revealed half a dozen issues with Catalyst. The cream was CVE-2026-20127, which gave unauthenticated attackers the power to log into Cisco controllers as high-privileged users. Though Cisco characterized in-the-wild exploitation of CVE-2026-20127 as "limited," Talos researchers suggested that it was extensive, lasting at least a few years — a lifetime in cyber years. They labeled the threat cluster actor behind that exploitation "UAT-8616," calling it "highly sophisticated."Cisco patched CVE-2026-20127, threatening to derail UAT-8616's fun. The threat actor was unphased, though, as it seems to have almost immediately picked up with yet another, nearly identical vulnerability in the very same product line.The difference is really only a technicality. In February, the issue was that the Catalyst Controller and Manager weren't rigorous enough in authenticating SD-WAN components, so any hacker off the street could use a specially crafted message to impersonate a device and get in. This month, the problem is that the Controller doesn't actually verify the legitimacy of a specific type of component — a hub router, "vHub," used in cloud deployments — before authenticating it. As a consequence, and as with the February CVE before it, attackers can use this new CVE to obtain administrative privileges in targeted systems and access "NETCONF," a protocol through which they could mess with all kinds of network configurations.Related:Cyber Espionage Group Targets Aviation Firms to Steal Map DataWhat Might Happen Next to Cisco's CustomersThe first time UAT-8616 exploited a Catalyst authentication bypass bug, it took advantage of its access to exploit an older vulnerability, CVE-2022-20775, and escalate from privileged to outright root access. Without spelling it out, Talos indicated that the threat actor might have been "looking to establish persistent footholds into high-value organizations including Critical Infrastructure (CI) sectors." This time around, the researchers observed the threat actor performing "similar post-compromise actions" after winning initial access, including adding SSH keys to targeted systems, modifying NETCONF configurations, and escalating to root.Little is known of UAT-8616 beyond all this, but those willing to speculate might note that the most sophisticated threat actors who abuse edge technologies, especially Cisco products, are usually Chinese. On top of that, in its latest blog, Talos wrote that UAT-8616 "overlaps with the Operational Relay Box (ORB) networks" it tracks, ORBs being most common among Chinese groups.Related:Why Security Leadership Makes or Breaks a Pen TestOrganizations that hope to avoid UAT-8616 should implement Cisco's newly released patch for CVE-2026-20182. Otherwise, "Centralized control planes do carry higher consequences when a vulnerability occurs, because a single compromised controller can affect the entire overlay network," warns Jonah Burgess, senior security researcher at Rapid7.Despite the huge risks from vulnerabilities that seem to be coming hard and fast these days, Burgess suggests that organizations not be too dissuaded. "Centralized SD-WAN management solves real operational problems, and the architecture itself isn't the flaw," he says.Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and an award-winning scriptwriter. He writes episodes of "Darknet Diaries," one of the most popular podcasts on the planet. Before that, he co-created another one of the most popular shows in cybersecurity, "Malicious Life."He began his career as a freelance writer, ghostwriting articles for technology and finance executives on Forbes, CNBC, and various other publications. He was recruited into journalism by the editors at Threatpost, and was the site's very last reporter by the time it closed its doors.He holds degrees from New York University and Bard College. As a born and bred New Yorker he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

A highly critical vulnerability, designated CVE-2026-20182, was recently exploited in the wild, representing a maximum severity threat score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS). This vulnerability resides within Cisco's Catalyst Software-Defined Wide Area Network (SD-WAN) Controllers, posing an authentication bypass that allows unauthenticated attackers significant control over one of an organization's most crucial network management tools. Douglas McKee, director of vulnerability intelligence at Rapid7, emphasized the severity of this flaw, noting that threat actors are highly adept at leveraging weaknesses in central infrastructure to execute high-impact operations, particularly for espionage, because SD-WAN controllers are situated at the nexus of trust relationships that organizations rarely scrutinize.

Researchers from Cisco Talos flagged that the exploitation of this vulnerability by a group tracked as UAT-8616 had already occurred, demonstrating that the exploit was not theoretical but actively leveraged during the reporting period. This incident followed previous discoveries, such as CVE-2026-20127, which also granted unauthenticated attackers privileged access to Cisco controllers. While Cisco characterized the exploitation of the earlier vulnerability as limited, Talos researchers suggested that the threat actor UAT-8616 maintained the exploitation for an extended period, indicating a highly sophisticated and persistent threat group.

The technical distinction between the earlier and current issues lies in the scope of the failure. The initial vulnerability related to insufficient authentication of SD-WAN components, allowing external impersonation. The current vulnerability is more nuanced, as the controller fails to properly verify the legitimacy of specific components, such as hub routers or vHubs used in cloud deployments, before granting administrative access. Consequently, exploiting CVE-2026-20182 enables attackers to obtain administrative privileges and access NETCONF, a protocol through which they can manipulate extensive network configurations.

The post-compromise actions observed by researchers targeting this vulnerability, including those attributed to UAT-8616, involved sophisticated maneuvers such as adding SSH keys to targeted systems, modifying NETCONF configurations, and escalating privileges to root access. This behavior suggests that threat actors utilizing these edge technologies, especially Cisco products, are often highly organized, with some speculation pointing toward groups originating from China due to their association with Operational Relay Box networks.

From an architectural perspective, the existence of centralized SD-WAN management planes introduces profound risks; as Jonah Burgess, a senior security researcher at Rapid7, warned, a single compromised controller can affect the entire overlay network, thus carrying substantially higher consequences. Despite this concentrated risk, Burgess suggested that the architecture itself does not represent the fundamental flaw, pointing instead to the necessity of immediate defensive action. Organizations are strongly advised to implement Cisco's newly released patch for CVE-2026-20182 to mitigate these risks, rather than being deterred by the complexity of the flaws.