**CISA** has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate **CVE-2026-20182** by May 17, 2026. ## Authentication Bypass in Cisco Catalyst SD-WAN Controller The vulnerability, **CVE-2026-20182**, is a critical authentication bypass impacting **Cisco** Catalyst SD-WAN Controller. Scoring a maximum severity of 10.0 on the CVSS, it allows unauthenticated remote attackers to gain administrative privileges. "**Cisco** Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system," **CISA** stated in its advisory. ## Active Exploitation and Threat Actor Attribution **Cisco Talos** attributes the active exploitation of **CVE-2026-20182** with high confidence to UAT-8616, a threat cluster previously linked to the exploitation of **CVE-2026-20127**. "UAT-8616 performed similar post-compromise actions after successfully exploiting **CVE-2026-20182**, as was observed in the exploitation of **CVE-2026-20127** by the same threat actor," **Cisco Talos** reported. The attacker attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. ## Overlapping Infrastructure and Chained Vulnerabilities The infrastructure used by UAT-8616 overlaps with Operational Relay Box (ORB) networks. Multiple threat clusters are also exploiting **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122**, starting in March 2026. When chained together, these three vulnerabilities can allow a remote unauthenticated attacker to gain unauthorized access. They were added to **CISA**'s KEV catalog last month. ## Web Shell Deployment and Threat Actor Clusters Attackers are leveraging publicly available proof-of-concept exploit code to deploy web shells on compromised systems, enabling the execution of arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell, dubbed XenShell, utilizes a PoC released by ZeroZenX Labs. At least 10 distinct clusters have been identified exploiting these flaws: * **Cluster 1** (Active since at least March 6, 2026): Deploys the Godzilla web shell. * **Cluster 2** (Active since at least March 10, 2026): Deploys the Behinder web shell. * **Cluster 3** (Active since at least March 4, 2026): Deploys the XenShell web shell and a variant of Behinder. * **Cluster 4** (Active since at least March 3, 2026): Deploys a variant of the Godzilla webshell. * **Cluster 5** (Active since at least March 13, 2026): Deploys a malware agent compiled off the AdaptixC2 red teaming framework. * **Cluster 6** (Active since at least March 5, 2026): Deploys the Sliver command-and-control (C2) framework. * **Cluster 7** (Active since at least March 25, 2026): Deploys an XMRig miner. * **Cluster 8** (Active since at least March 10, 2026): Deploys the KScan asset mapping tool and a Nim-based backdoor likely based on NimPlant, capable of file operations, bash execution, and system information collection. * **Cluster 9** (Active since at least March 17, 2026): Deploys an XMRig miner and a peer-based proxying and tunneling tool called gsocket. * **Cluster 10** (Active since at least Mar 13, 2026): Deploys a credential stealer targeting admin user hashdumps, JSON Web Tokens (JWT) key chunks for REST API authentication, and AWS credentials for vManage. ## Cisco's Recommendations **Cisco** urges customers to adhere to the guidance and recommendations provided in the advisories for these vulnerabilities to safeguard their environments.