A highly sophisticated threat actor is exploiting a critical vulnerability in Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Controllers.
Rapid7 disclosed CVE-2026-20182, an authentication bypass vulnerability in Cisco’s market-leading network management solution. By allowing unauthenticated attackers free rein over one of an organization’s most powerful tools, it earned the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS).
In an updated blog post today, Rapid7 director of vulnerability intelligence Douglas McKee hammered home just how serious an issue this was. “Attackers have become very good at turning central infrastructure weaknesses into high impact operations,” he warned, and for nation-states in particular, “an SD-WAN controller is a great place to do [espionage], because it lives in the middle of trust relationships most organizations rarely question.” To avoid sensationalizing, McKee added, “To be fair, not every bug turns into Internet-wide exploitation overnight.”
In fact, CVE-2026-20182 had been exploited overnight. In a separate publication that same day, researchers at Cisco Talos flagged that a group it tracks as UAT-8616 has already gotten to it.
Hackers Leverage Critical Bugs in Cisco Catalyst
Not only is CVE-2026-20182 not the first vulnerability discovered in Cisco Catalyst this year, it isn’t even the first authentication bypass vulnerability with a “critical” 10 score on the CVSS scale.
Back in February, Cisco revealed half a dozen issues with Catalyst. The cream was CVE-2026-20127, which gave unauthenticated attackers the power to log into Cisco controllers as high-privileged users. Though Cisco characterized in-the-wild exploitation of CVE-2026-20127 as “limited,” Talos researchers suggested that it was extensive, lasting at least a few years — a lifetime in cyber years. They labeled the threat cluster actor behind that exploitation “UAT-8616,” calling it “highly sophisticated.”
Cisco patched CVE-2026-20127, threatening to derail UAT-8616’s fun. The threat actor was unphased, though, as it seems to have almost immediately picked up with yet another, nearly identical vulnerability in the very same product line.
The difference is really only a technicality. In February, the issue was that the Catalyst Controller and Manager weren’t rigorous enough in authenticating SD-WAN components, so any hacker off the street could use a specially crafted message to impersonate a device and get in. This month, the problem is that the Controller doesn’t actually verify the legitimacy of a specific type of component — a hub router, “vHub,” used in cloud deployments — before authenticating it. As a consequence, and as with the February CVE before it, attackers can use this new CVE to obtain administrative privileges in targeted systems and access “NETCONF,” a protocol through which they could mess with all kinds of network configurations.
What Might Happen Next to Cisco’s Customers
The first time UAT-8616 exploited a Catalyst authentication bypass bug, it took advantage of its access to exploit an older vulnerability, CVE-2022-20775, and escalate from privileged to outright root access. Without spelling it out, Talos indicated that the threat actor might have been “looking to establish persistent footholds into high-value organizations including Critical Infrastructure (CI) sectors.”
This time around, the researchers observed the threat actor performing “similar post-compromise actions” after winning initial access, including adding SSH keys to targeted systems, modifying NETCONF configurations, and escalating to root.
Little is known of UAT-8616 beyond all this, but those willing to speculate might note that the most sophisticated threat actors who abuse edge technologies, especially Cisco products, are usually Chinese. On top of that, in its latest blog, Talos wrote that UAT-8616 “overlaps with the Operational Relay Box (ORB) networks” it tracks, ORBs being most common among Chinese groups.
Organizations that hope to avoid UAT-8616 should implement Cisco’s newly released patch for CVE-2026-20182. Otherwise, “Centralized control planes do carry higher consequences when a vulnerability occurs, because a single compromised controller can affect the entire overlay network,” warns Jonah Burgess, senior security researcher at Rapid7.
Despite the huge risks from vulnerabilities that seem to be coming hard and fast these days, Burgess suggests that organizations not be too dissuaded. “Centralized SD-WAN management solves real operational problems, and the architecture itself isn’t the flaw,” he says.
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!
