Exploited in the Wild: Maximum CVSS 10 SD-WAN Flaw (CVE-2026-20182) Grants Admin Control

Cisco Talos has issued a high-priority warning regarding the active, in-the-wild exploitation of several critical vulnerabilities targeting the Cisco Catalyst SD-WAN infrastructure. Threat actors are currently leveraging these flaws to seize administrative control over corporate network fabrics, deploying everything from credential stealers to AI-assisted backdoors.

At the center of this campaign is CVE-2026-20182, a maximum CVSS 10 vulnerability that has put security teams on high alert.

This vulnerability is particularly dangerous because it allows an unauthenticated attacker to walk through the front door of a SD-WAN Controller or Manager with the highest possible privileges.

“Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” the report explains.

The flaw exists because the system’s “peering authentication mechanism” fails to validate requests properly. Once inside, an attacker can access NETCONF, a capability that allows them to “manipulate network configuration for the SD-WAN fabric,” potentially rerouting or intercepting sensitive corporate traffic.

Talos has attributed this specific activity to UAT-8616, a “highly sophisticated cyber threat actor” known for modifying NETCONF configurations and attempting to escalate to root privileges.

While UAT-8616 focus on high-tier targets, a broader set of actors is exploiting a trio of older vulnerabilities—CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122—which were patched back in February 2026.

Despite the availability of patches, the public release of proof-of-concept (PoC) code by ZeroZenX Labs in March triggered a wave of attacks. Talos reports: “The vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying JavaServer Pages (JSP) shell, which we are calling ‘XenShell.'”

Security researchers have identified at least ten distinct clusters of malicious activity following these breaches. The payloads discovered illustrate a diverse and dangerous threat landscape:

• AI-Assisted Espionage: Cluster 8 deployed a Nim-based implant that Talos suspects was “created with the help of AI to resemble Nimplant’s functionality,” allowing attackers to exfiltrate data and execute bash commands.
• Infrastructure Looting: Cluster 10 utilized a script named “loot_run.sh” specifically designed to steal admin hashdumps, AWS credentials, and JWT keys used for REST API authentication.
• Cryptojacking: Multiple clusters (7 and 9) were observed deploying XMRig miners to hijack system resources for Monero mining.
• Advanced Web Shells: Actors are frequently using the “Godzilla” and “Behinder” web shells to maintain persistent access to compromised servers.

Cisco has released fixed software for these vulnerabilities and “strongly encourages customers to upgrade to a supported release”.

SD-WAN Release	First Fixed Release for CVE-2026-20182
20.9	20.9.9.1
20.12	20.12.7.1
20.15	20.15.5.2
20.18	20.18.2.2
26.1	26.1.1.1

Many older releases (20.11, 20.13, 20.14) have reached End of Software Maintenance, and administrators should migrate to a supported fixed release immediately.