Do Son 
Cisco has issued an urgent advisory regarding ongoing offensives targeting its software-defined networking components, while Rapid7 has disclosed the architectural mechanics of a catastrophic vulnerability that permits absolute hijacking of network infrastructure absent authentication. The flaw compromises the Cisco Catalyst SD-WAN Controller and has been assigned the identifier CVE-2026-20182, garnering the ultimate severity rating: a CVSS score of 10 out of 10.
Intelligence from Cisco Talos indicates that adversaries are actively weaponizing CVE-2026-20182 in active campaigns. Specialists attribute this operational activity to the threat actor tracked as UAT-8616, a collective previously observed exploiting an analogous defect, CVE-2026-20127. Upon securing initial penetration, the aggressors appended persistent SSH public keys, manipulated NETCONF layers, and attempted to achieve root privileges. A segment of the adversaries’ command infrastructure intersects with Operational Relay Box (ORB) networks, which are deliberately leveraged to obscure the geographic origins of the traffic.
Rapid7 determined that the vulnerability resides within the vdaemon service, which listens on UDP port 12346. The architectural flaw permits an external entity to interface with the controller by masquerading as a trusted vHub device. The system fails to mandate certificate validation for this specific device classification, autonomously designating the inbound connection as authenticated. Having bypassed this perimeter defense, an interloper can inject a bespoke SSH key into the vmanage-admin account, thereby anchoring persistent access to the NETCONF service via SSH.
Analysts from Rapid7 successfully demonstrated a full weaponized exploit chain. To achieve exploitation, an actor merely needs to establish a DTLS handshake using an arbitrary self-signed certificate, dispatch an engineered CHALLENGE_ACK packet, and subsequently activate the session via a Hello directive. Following this sequence, the controller erroneously recognizes the attacker as a trusted node within the fabric of the SD-WAN architecture.
Concurrently, Cisco Talos documented aggregate exploitation campaigns targeting a broader suite of SD-WAN vulnerabilities, specifically CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Threat actors hybridized these defects into an exploit chain to secure remote code execution on unpatched installations. Following successful infiltration, the adversaries deployed XenShell, Godzilla, and Behinder web shells, initialized XMRig cryptocurrency miners, established command-and-control infrastructure via Sliver and AdaptixC2, and exfiltrated local credentials alongside cloud-based AWS access tokens.
In a notable incident, the attackers deployed a modified implant authored in the Nim programming language, which Cisco Talos posits may have been synthesized utilizing artificial intelligence utilities. This malware was staged and fetched via the Replit platform, subsequently serving as a vector for remote command execution, file exfiltration, and systemic environmental reconnaissance.
Cisco has distributed comprehensive security updates and strongly implores administrators to expedite patch deployment. The vulnerability designated as CVE-2026-20182 has been effectively neutralized in versions 20.12.6.2, 20.12.7.1, 20.15.5.2, and 20.18.2.2. The technology giant explicitly cautioned that legacy, end-of-life SD-WAN software branches will receive no remediation, thereby obligating administrators to migrate to supported software lifecycles immediately.
Donate