Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

216.73.216.6

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

· Published 14/05/2026 22:10 · Modified 15/05/2026 18:45

Essential information

Published: 14/05/2026 22:10
Modified: 15/05/2026 18:45
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: adaptixc2 authentication bypass behinder cisco credential theft cryptocurrency mining cve-2026-20122 cve-2026-20127 cve-2026-20128 cve-2026-20133 cve-2026-20182 godzilla gsocket kscan nimplant sd-wan sliver webshells xenshell xmrig
Tags: 2026-05-14 CVE-2026-20122 CVE-2026-20127 CVE-2026-20128 CVE-2026-20133 CVE-2026-20182 adaptixc2 authentication bypass behinder cisco credential-theft cryptocurrency mining godzilla gsocket kscan nimplant sd-wan sliver webshells xenshell xmrig
Related entities: 7 vulnerabilities (cve), 26 indicators, 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 9 malware, 2 others

Description

Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involved in similar attacks. Additionally, multiple threat clusters have been exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026, following public release of proof-of-concept code by ZeroZenX Labs. Post-compromise activities include deployment of various webshells, including XenShell, Godzilla, and Behinder variants, along with cryptocurrency miners, red team frameworks like Sliver and AdaptixC2, and credential stealers. Ten distinct threat clusters have been identified, each utilizing different malicious tooling and infrastructure. Affected systems require immediate patching and security measures.