Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

“UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Our findings indicate that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities also overlaps with the Operational Relay Box (ORB) networks that Talos monitors closely,” Talos explained.Rapid7 has been credited for reporting CVE-2026-20182 to Cisco. The cybersecurity firm, which shared the technical details with the vendor on March 9, said it discovered the weakness during an analysis of CVE-2026-20127, noting that they are different flaws affecting the same component.Rapid7 discloseddetailsof the vulnerability on Thursday, and Cisco has madeindicators of compromise (IoCs)available to help companies detect potential attacks.CISA hasadded CVE-2026-20182to its KEV catalog, instructing federal agencies to address it within three days.The KEV list currently includes 15 Cisco SD-WAN vulnerabilities, five of which were discovered this year. In addition to CVE-2026-20182, the other flaws are tracked asCVE-2026-20128, CVE-2026-20122,CVE-2026-20133, and CVE-2026-20127.An older SD-WAN vulnerability, CVE-2022-20775, was also flagged asexploited in the wildthis year, alongside CVE-2026-20127.Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Rapid7 has been credited for reporting CVE-2026-20182 to Cisco. The cybersecurity firm, which shared the technical details with the vendor on March 9, said it discovered the weakness during an analysis of CVE-2026-20127, noting that they are different flaws affecting the same component.Rapid7 discloseddetailsof the vulnerability on Thursday, and Cisco has madeindicators of compromise (IoCs)available to help companies detect potential attacks.CISA hasadded CVE-2026-20182to its KEV catalog, instructing federal agencies to address it within three days.The KEV list currently includes 15 Cisco SD-WAN vulnerabilities, five of which were discovered this year. In addition to CVE-2026-20182, the other flaws are tracked asCVE-2026-20128, CVE-2026-20122,CVE-2026-20133, and CVE-2026-20127.An older SD-WAN vulnerability, CVE-2022-20775, was also flagged asexploited in the wildthis year, alongside CVE-2026-20127.Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Rapid7 discloseddetailsof the vulnerability on Thursday, and Cisco has madeindicators of compromise (IoCs)available to help companies detect potential attacks.CISA hasadded CVE-2026-20182to its KEV catalog, instructing federal agencies to address it within three days.The KEV list currently includes 15 Cisco SD-WAN vulnerabilities, five of which were discovered this year. In addition to CVE-2026-20182, the other flaws are tracked asCVE-2026-20128, CVE-2026-20122,CVE-2026-20133, and CVE-2026-20127.An older SD-WAN vulnerability, CVE-2022-20775, was also flagged asexploited in the wildthis year, alongside CVE-2026-20127.Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

CISA hasadded CVE-2026-20182to its KEV catalog, instructing federal agencies to address it within three days.The KEV list currently includes 15 Cisco SD-WAN vulnerabilities, five of which were discovered this year. In addition to CVE-2026-20182, the other flaws are tracked asCVE-2026-20128, CVE-2026-20122,CVE-2026-20133, and CVE-2026-20127.An older SD-WAN vulnerability, CVE-2022-20775, was also flagged asexploited in the wildthis year, alongside CVE-2026-20127.Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

The KEV list currently includes 15 Cisco SD-WAN vulnerabilities, five of which were discovered this year. In addition to CVE-2026-20182, the other flaws are tracked asCVE-2026-20128, CVE-2026-20122,CVE-2026-20133, and CVE-2026-20127.An older SD-WAN vulnerability, CVE-2022-20775, was also flagged asexploited in the wildthis year, alongside CVE-2026-20127.Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

An older SD-WAN vulnerability, CVE-2022-20775, was also flagged asexploited in the wildthis year, alongside CVE-2026-20127.Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Cisco Talos on Thursday described 10 activity clusters observed exploiting SD-WAN vulnerabilities to deliver cryptocurrency miners, credential stealers, backdoors, webshells, and other malware and hacking tools.Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Related:Recent Cisco Catalyst SD-WAN Vulnerability Now Widely ExploitedRelated:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Related:Researcher Drops YellowKey, GreenPlasma Windows Zero-DaysRelated:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Related:Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code

Source: SecurityWeek