CISA added Cisco SD-WAN flaw CVE-2026-20182 to KEV after active attacks enabled admin access on vulnerable systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Cisco SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after evidence emerged that attackers are actively exploiting the flaw in the wild.
The vulnerability, tracked as CVE-2026-20182, affects Cisco Catalyst SD-WAN Controller and SD-WAN Manager products and carries the maximum CVSS severity score of 10.0. Cisco said the flaw allows remote, unauthenticated attackers to bypass authentication protections and gain administrative privileges on affected systems.
According to Cisco Talos, the attacks have been linked with high confidence to a threat cluster known as UAT-8616, which previously exploited another Cisco SD-WAN vulnerability, CVE-2026-20127. Researchers said the group used similar post-compromise techniques, including adding unauthorized SSH keys, modifying NETCONF configurations, and escalating privileges to root access.
Rapid7 researchers Stephen Fewer and Jonah Burgess discovered the vulnerability while analyzing earlier Cisco SD-WAN exploits. Their technical analysis found that attackers could impersonate a trusted “vHub” device during the DTLS authentication process, allowing them to establish authenticated sessions without valid credentials or certificates.
Researchers said successful exploitation could allow attackers to inject malicious SSH keys into high-privileged internal accounts and execute arbitrary NETCONF commands against compromised controllers. Cisco confirmed there are currently no workarounds available for the issue and urged customers to install patched software releases immediately.
CISA has ordered Federal Civilian Executive Branch agencies to remediate the vulnerability by May 17, 2026, due to the ongoing exploitation activity and the risk posed to government networks.
The newly disclosed flaw is the sixth Cisco SD-WAN vulnerability publicly reported as exploited in 2026, highlighting continued targeting of enterprise networking infrastructure by advanced threat actors.
Related articles :
- Critical Telnetd Flaw Enables Root Access Attacks
- FBI Warns Russian Hackers Target Signal, WhatsApp
- React2Shell Exploited to Hijack NGINX Web Traffic
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
