Cisco on Thursday announced the availability of patches for yet another critical SD-WAN zero-day vulnerability that has been exploited in attacks. It is the sixth SD-WAN flaw whose exploitation came to light in 2026.
The new SD-WAN zero-day is tracked as CVE-2026-20182, and it has been described by Cisco as an authentication bypass vulnerability that can allow a remote attacker to gain admin privileges on the targeted system via specially crafted packets.
The vulnerability affects the peering authentication mechanism in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage).
Cisco said it became aware of active exploitation in May, and the company’s Talos threat intelligence and research group revealed that CVE-2026-20182 appears to have been exploited in limited attacks by a threat actor it tracks as UAT-8616.
UAT-8616 has been described by Talos researchers as a highly sophisticated group, but its motivation and potential connections to a specific country or known group have not been revealed.
The same threat actor previously exploited CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
“UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Our findings indicate that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities also overlaps with the Operational Relay Box (ORB) networks that Talos monitors closely,” Talos explained.
Rapid7 has been credited for reporting CVE-2026-20182 to Cisco. The cybersecurity firm, which shared the technical details with the vendor on March 9, said it discovered the weakness during an analysis of CVE-2026-20127, noting that they are different flaws affecting the same component.
Rapid7 disclosed details of the vulnerability on Thursday, and Cisco has made indicators of compromise (IoCs) available to help companies detect potential attacks.
CISA has added CVE-2026-20182 to its KEV catalog, instructing federal agencies to address it within three days.
The KEV list currently includes 15 Cisco SD-WAN vulnerabilities, five of which were discovered this year. In addition to CVE-2026-20182, the other flaws are tracked as CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, and CVE-2026-20127.
An older SD-WAN vulnerability, CVE-2022-20775, was also flagged as exploited in the wild this year, alongside CVE-2026-20127.
Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.
Related: Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
Related: Researcher Drops YellowKey, GreenPlasma Windows Zero-Days
Related: Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code
