Cisco SD-WAN Zero-Day Exploited by Persistent Threat Actor UAT-8616
A critical, actively exploited zero-day vulnerability in Cisco Catalyst SD-WAN Controller allows unauthenticated attackers to gain full administrative access, triggering an emergency CISA mandate.
A maximum-severity, unauthenticated remote code execution vulnerability in Cisco Catalyst SD-WAN Controller is currently being exploited in the wild, prompting an emergency directive from the U.S. Cybersecurity and Infrastructure Agency (CISA) GovInfoSecurity. The flaw, tracked as CVE-2026-20182, carries a CVSS score of 10 and allows attackers to bypass authentication to gain full administrative control over affected systems GovInfoSecurity · CyberScoop.
The vulnerability resides within the `vdaemon` service, which manages the control-plane peering between controllers and edge devices via UDP port 12346 GovInfoSecurity. By exploiting a broken peering authentication mechanism, an attacker can effectively impersonate a trusted network router, tricking the controller into granting them administrative privileges CyberScoop. Rapid7 researchers, who discovered the flaw while investigating previous SD-WAN vulnerabilities, described the exploit as a "Jedi mind trick" that functions like a "master key" for the network CyberScoop.
Once access is obtained, attackers can manipulate network configurations, inject SSH keys, modify NETCONF settings, and escalate privileges to root GovInfoSecurity. Because the `vdaemon` service handles Overlay Management Protocol (OMP) messages—including route advertisements and transport location tables—compromising this service grants an attacker total control over the entire SD-WAN overlay routing fabric GovInfoSecurity.
Cisco’s threat intelligence team, Talos, has attributed the ongoing exploitation to a threat actor tracked as UAT-8616 GovInfoSecurity · CyberScoop. This group has a history of targeting critical infrastructure and has been linked to operational relay box (ORB) networks, which are frequently associated with state-sponsored espionage GovInfoSecurity. Cisco confirmed that the vulnerability affects all deployment types, including on-premises, cloud, and FedRAMP environments CyberScoop.
In response to the active exploitation, Cisco released patches on May 14, 2026, and strongly urged customers to upgrade to the latest fixed software releases GovInfoSecurity · CyberScoop. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after disclosure, mandating that federal agencies apply the necessary patches by May 17, 2026 GovInfoSecurity.
This incident is part of a broader, concerning trend of persistent attacks against Cisco’s network edge software. Since late February, CISA has added seven vulnerabilities affecting Cisco SD-WAN and firewall products to its KEV catalog CyberScoop. Beyond CVE-2026-20182, researchers have observed at least 10 threat groups actively chaining other vulnerabilities—specifically CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122—against unpatched infrastructure GovInfoSecurity · CyberScoop. As threat actors continue to focus on these critical networking components, organizations are advised to prioritize patching and monitor for unauthorized configuration changes CyberScoop.