Cisco Patches Sixth Exploited SD-WAN Zero-Day of 2026 as CISA Issues Urgent Directive
Cisco has patched a critical authentication bypass zero-day in its Catalyst SD-WAN software that is currently being exploited by a sophisticated threat actor to gain administrative control.
Cisco has released security patches to address a critical zero-day vulnerability, tracked as CVE-2026-20182, affecting its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager software. The flaw is an authentication bypass vulnerability that allows remote, unauthenticated attackers to gain administrative privileges on affected systems by sending specially crafted packets SecurityWeek.
The vulnerability resides in the peering authentication mechanism of the software. By exploiting this weakness, an attacker can bypass security controls to gain unauthorized administrative access. According to Cisco Talos, the threat actor identified as UAT-8616 has been observed exploiting this vulnerability in limited, targeted attacks. The group, described as highly sophisticated, has utilized this access to attempt to add SSH keys, modify NETCONF configurations, and escalate their access to root privileges SecurityWeek.
This incident marks the sixth Cisco SD-WAN zero-day vulnerability to be exploited in the wild during 2026. The same threat actor, UAT-8616, was previously linked to the exploitation of another SD-WAN flaw, CVE-2026-20127. Researchers at Talos noted that the infrastructure used by UAT-8616 for these campaigns overlaps with known Operational Relay Box (ORB) networks SecurityWeek. Rapid7, which reported the vulnerability to Cisco on March 9, discovered the issue while analyzing the aforementioned CVE-2026-20127, noting that while they affect the same component, they are distinct flaws.
In response to the active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the necessary patches within three days to mitigate the risk of compromise. Cisco has provided indicators of compromise (IoCs) to assist organizations in identifying potential unauthorized activity within their environments SecurityWeek.
The frequent targeting of Cisco SD-WAN infrastructure highlights a broader trend of attackers focusing on edge networking equipment to facilitate deeper network penetration. With 15 Cisco SD-WAN vulnerabilities now included in the CISA KEV list—five of which were identified in 2026 alone—the sector remains a high-priority target for various threat actors. Talos researchers have observed at least 10 distinct activity clusters exploiting these types of vulnerabilities to deploy a range of payloads, including cryptocurrency miners, credential stealers, and backdoors SecurityWeek.