DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ADVISORIES/cisco-sa-sdwan-rpa2-v69WY2SW
TLP:WHITE
Disclosure not limited. This advisory may be distributed publicly through any channel.
OFFICIAL ADVISORY // cisco-sa-sdwan-rpa2-v69WY2SW // PUBLISHED 2026-05-14
Cisco PSIRTCVE-2026-20182CVE-2026-20127CVE-2026-20133CVE-2026-20128CVE-2026-20122

Cisco Catalyst SD-WAN Controller Authentication Bypass — CVSS 10.0, Actively Exploited by State-Sponsored Threat Actor UAT-8616

ADVISORY SUMMARY

CVE-2026-20182 is a maximum-severity (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) that allows an unauthenticated remote attacker to gain administrative privileges by exploiting broken peering authentication logic. Successful exploitation gives the attacker NETCONF access and the ability to manipulate SD-WAN fabric configuration across the entire enterprise network. CISA issued Emergency Directive 26-03 requiring federal agencies to remediate by May 17, 2026; Cisco Talos attributes active exploitation to state-sponsored cluster UAT-8616, which has targeted SD-WAN infrastructure since at least 2023.

AFFECTED SYSTEMS

AFFECTED SYSTEM
SEVERITY
EXPLOIT
PATCH
Cisco Catalyst SD-WAN Controller (vSmart) — all supported releases prior to fixed versions
CRITICAL
LIMITED
PATCHED
Cisco Catalyst SD-WAN Manager (vManage) — all supported releases prior to fixed versions
CRITICAL
LIMITED
PATCHED
On-Prem, SD-WAN Cloud-Pro, SD-WAN Cloud, SD-WAN for Government (FedRAMP) deployments
CRITICAL
LIMITED
PATCHED

MITIGATION GUIDANCE

No workarounds exist — upgrade to Cisco-provided fixed software immediately. Cisco SD-WAN Cloud (Cisco Managed) customers are already patched at release 20.15.506 and require no action. Collect admin-tech files from each control component before upgrading to preserve forensic evidence. Restrict SD-WAN Controller and Manager management interfaces to trusted networks only. Open a Cisco TAC case (Severity 3, title 'CVE-2026-20182') if compromise is suspected.

DETECTION SIGNATURES

Run 'show control connections detail' or 'show control connections-history detail' from the CLI and look for entries with state:up and challenge-ack:0, which may indicate unauthorized peer connections. Check /var/log/auth.log for 'Accepted publickey for vmanage-admin' entries from unknown IP addresses. Monitor for unexpected SSH key additions, NETCONF configuration changes, new admin account creation, and log-clearing activity. UAT-8616 TTPs include SSH key injection, NETCONF manipulation, privilege escalation via CVE-2022-20775 software downgrade, and extensive log clearing.

REFERENCES

  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
  • https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
  • https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
  • https://nvd.nist.gov/vuln/detail/CVE-2026-20182
SHARE BRIEF:✕ Post on Xin Share on LinkedIn