Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos reports active in-the-wild exploitation of multiple Cisco Catalyst SD-WAN flaws, most notably CVE-2026-20182, an authentication bypass in SD-WAN Controller and Manager that lets an unauthenticated remote attacker log in as a high-privileged internal user and then pivot to full administrative control. Talos attributes exploitation of CVE-2026-20182 to UAT-8616, which followed initial access with post-compromise actions including adding SSH keys, modifying NETCONF configuration, and attempting root escalation, with infrastructure overlap to ORB networks. The post also documents broader exploitation of the older CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain against unpatched SD-WAN Manager systems, where attackers used public PoC code from ZeroZenX Labs to deploy JSP webshells such as XenShell, Godzilla variants, and a modified Behinder shell. The practical value is high because the article goes beyond advisory language and shows real attacker tradecraft, campaign clustering, specific webshell families, and how quickly public exploit code translated into opportunistic compromise of exposed SD-WAN infrastructure.