EXECUTIVE SUMMARY
A highly cyber threat actor, tracked as UAT-8616, is actively exploiting a previously disclosed authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing unauthenticated remote attackers to bypass authentication and obtain administrative privileges on affected systems. The exploitation of this vulnerability appears to have been limited so far, but the threat actor has been observed to use this access to deploy webshells, modify NETCONF configurations, and escalate to root privileges.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly cyber threat actor, tracked as UAT-8616, is actively exploiting a previously disclosed authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing unauthenticated remote attackers to bypass authentication and obtain administrative privileges on affected systems. The exploitation of this vulnerability appears to have been limited so far, but the threat actor has been observed to use this access to deploy webshells, modify NETCONF configurations, and escalate to root privileges.[emaillocker id="1283"]
UAT-8616 has also been linked to the exploitation of a similar vulnerability in Cisco Catalyst SD-WAN Controller, CVE-2026-20127, and has demonstrated a history of targeted and sophisticated attacks against Cisco SD-WAN systems. The malware infects systems through exploitation of vulnerabilities in Cisco Catalyst SD-WAN Manager infrastructure, specifically CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122.
Once inside, the malware deploys webshells and other malicious tooling, such as XenShell, Godzilla, and Behinder, which allow attackers to execute bash commands on the affected system. The attackers have also been observed deploying cryptocurrency miners, such as XMRig, and a peer-based proxying and tunneling tool, gsocket. This attack chain highlights the need for organizations to prioritize patching and monitoring of their SD-WAN systems and to implement robust security controls to prevent lateral movement and data exfiltration.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Impact | T1496 | Resource Hijacking | — |
REFERENCES:
The reports contain further technical details:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
https://securityonline.info/cisco-catalyst-sd-wan-vulnerability-cve-2026-20182-exploited-cvss-10/