Cisco SD-WAN Zero-Day Vulnerability Exploited
A threat group is exploiting a max-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller and Manager, with a CVSS rating of 10, according to a threat advisory from Cisco. The vulnerability, CVE-2026-20182, is an authentication bypass vulnerability that can allow an attacker to obtain the highest level of administrative access.
The vulnerability was discovered and reported to Cisco by Rapid7 on March 9, and Cisco became aware of limited exploitation earlier this month. A patch for the vulnerability was released on Thursday, and the Cybersecurity and Infrastructure Security Agency (CISA) added the defect to its known exploited vulnerabilities catalog.
Impact of the Vulnerability
Douglas McKee, director of vulnerability intelligence at Rapid7, wrote in a blog post that the vulnerability "behaves like a master key" and can allow an attacker to present themselves to the controller as a trusted network router, potentially gaining control over the entire overlay network. "An attacker can obtain the highest level of administrative access," he added.
Jonah Burgess, senior security researcher at Rapid7, told CyberScoop that the vulnerability requires no credentials or prior knowledge of the target environment for exploitation and can affect all deployment types, including on-premises, cloud, and FedRAMP environments.
Threat Group Behind the Attacks
Cisco Talos researchers attributed the latest round of zero-day attacks to UAT-8616, the same attackers that exploited a pair of separate zero-days in Cisco's network edge software for at least three years before the activity was discovered and reported in February. The company declined to answer questions about the origins or motivations of UAT-8616.
Cisco Talos researchers also warned that UAT-8616 and at least 10 other threat groups have chained together and achieved "widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure," including CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133.
Recommendations
Cisco strongly recommends that customers apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog. "We strongly recommend customers apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog," a spokesperson for the company said in a statement.
Rapid7 discovered the latest critical authentication bypass vulnerability when it was researching CVE-2026-20127, a previous zero-day the Five Eyes identified and confirmed as actively exploited by UAT-8616 in late 2025.
Conclusion
The latest zero-day exploit marks another challenge for Cisco customers, who have confronted a flood of actively exploited vulnerabilities affecting the vendor's network edge software since late February. CISA has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog in less than three months.
- CVE-2026-20182: max-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller and Manager
- CVE-2026-20122: vulnerability in Cisco Catalyst SD-WAN Infrastructure
- CVE-2026-20128: vulnerability in Cisco Catalyst SD-WAN Infrastructure
- CVE-2026-20133: vulnerability in Cisco Catalyst SD-WAN Infrastructure
- CVE-2026-20127: previous zero-day exploited by UAT-8616
Cisco customers should apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog to protect themselves from these vulnerabilities.
Source: CyberScoop