Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

8-minute read May 14 2026 Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182) By Research Special Operations Subscribe Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2026-20182, which has been exploited as a zero-day by a sophisticated threat actor. Key Takeaways CVE-2026-20182 is a critical (CVSSv3 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager disclosed on May 14 with confirmed active exploitation. A sophisticated threat actor designated UAT-8616 has exploited Cisco SD-WAN vulnerabilities since at least 2023, and 10 additional threat clusters began exploitation of multiple vulnerabilities in SD-WAN after public proof-of-concept code became available. Patches are available for all supported Cisco Catalyst SD-WAN releases and CISA has mandated remediation by May 17 under Emergency Directive 26-03. Background Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the ongoing exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. FAQ When were these Cisco SD-WAN vulnerabilities first disclosed? On February 25, 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that was already being exploited in the wild at the time of disclosure. Alongside that advisory, Cisco also released patches for three additional vulnerabilities in SD-WAN Manager: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The security advisory for these CVEs (cisco-sa-sdwan-authbp-qwCX8D4v) was updated in March to confirm exploitation of CVE-2026-20128 and CVE-2026-20122 and then again in April to confirm that CVE-2026-20133 had also been exploited. On May 14, 2026, Cisco published a new advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for CVE-2026-20182, a separate critical authentication bypass vulnerability that was discovered during the investigation into the earlier exploitation. This vulnerability is also under active exploitation. What are the vulnerabilities associated with the Cisco SD-WAN exploitation? There are five CVEs associated with this ongoing campaign, plus one older vulnerability used for post-compromise privilege escalation: CVE Description CVSSv3 Cisco Advisory CVE-2026-20182 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability 10.0 cisco-sa-sdwan-rpa2-v69WY2SW CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability 10.0 cisco-sa-sdwan-rpa-EHchtZk CVE-2026-20133 Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability 7.5 cisco-sa-sdwan-authbp-qwCX8D4v CVE-2026-20128 Cisco Catalyst SD-WAN Manager Credential Access Vulnerability 7.5 cisco-sa-sdwan-authbp-qwCX8D4v CVE-2026-20122 Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability 5.4 cisco-sa-sdwan-authbp-qwCX8D4v CVE-2022-20775 Cisco SD-WAN CLI Path Traversal Privilege Escalation Vulnerability 7.8 cisco-sa-sd-wan-priv-E6e8tEdF Both CVE-2026-20182 and CVE-2026-20127 are critical-severity flaws that enable remote, unauthenticated access to administrative functions due to broken peering authentication logic. CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, when chained together, allow a remote unauthenticated attacker to gain access to the SD-WAN Manager. What products are affected? The following table lists the CVEs and affected devices. None of these vulnerabilities require specific device configurations to be exploitable, and all deployment models are affected: CVE Affected Device(s) CVE-2026-20182 Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager CVE-2026-20133 Cisco Catalyst SD-WAN Manager CVE-2026-20128 Cisco Catalyst SD-WAN Manager CVE-2026-20122 Cisco Catalyst SD-WAN Manager CVE-2022-20775 Cisco SD-WAN Software:- SD-WAN vBond Orchestrator Software- SD-WAN vEdge Cloud Routers- SD-WAN vEdge Routers- SD-WAN vManage Software- SD-WAN vSmart Controller Software How severe is the exploitation? Successful exploitation of CVE-2026-20182 or CVE-2026-20127 provides access to a privileged (but non-root) internal account on the SD-WAN Controller. That access opens NETCONF, giving the attacker the ability to alter network configuration across the entire SD-WAN fabric. In observed attacks, the threat actor UAT-8616 then leveraged CVE-2022-20775 via a software version downgrade technique to escalate privileges to root. Post-compromise activities observed by Cisco Talos include SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to cover tracks. Who is UAT-8616? UAT-8616 is a designation assigned by Cisco Talos to a “highly sophisticated cyber threat actor” that has been exploiting Cisco SD-WAN infrastructure since at least 2023. According to Cisco Talos, UAT-8616 targets critical infrastructure sectors and its infrastructure overlaps with monitored Operational Relay Box (ORB) networks. UAT-8616 exploits CVE-2026-20182 and CVE-2026-20127 for initial access, then, in the case of CVE-2026-20127 exploitation, performs software version downgrades to expose CVE-2022-20775 for root privilege escalation. After achieving root access, the actor restores the original software version to conceal the exploitation path. Additional persistence techniques include injecting SSH keys into authorized_keys files, enabling PermitRootLogin in the SSH daemon configuration, and clearing forensic evidence from syslog, wtmp, lastlog, bash_history and cli-history files. Are there other threat actors exploiting these vulnerabilities? Yes. Cisco Talos has identified 10 additional threat clusters that are distinct from UAT-8616. These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs. The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials. Are proofs-of-concept (PoCs) available? Yes. ZeroZenX Labs published proof-of-concept code for the CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 exploit chain in March 2026. This PoC release directly correlated with the surge in exploitation activity across multiple threat clusters. The availability of public PoC code highlights the risk to any exposed SD-WAN infrastructure that remains unpatched. What actions has CISA taken? CISA has taken multiple actions in response to the Cisco SD-WAN exploitation campaign: February 25, 2026: Added CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalog April 20, 2026: Added CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to the KEV catalog May 14, 2026: Added CVE-2026-20182 to the KEV catalog with an action deadline of May 17, 2026 May 14, 2026: Issued Emergency Directive 26-03 and published Hunt & Hardening Guidance for Cisco SD-WAN Devices All five CVEs in this campaign are now in CISA's KEV catalog. Are patches available? Cisco has released patches for each of the vulnerabilities discussed in this blog. We recommend reviewing the security advisories issued by Cisco for each CVE to identify the patch release and any considerations that may apply in order to apply the patches successfully. Are there indicators of compromise (IoC)? Cisco has published detailed IoC information across its advisories and Talos blog posts. The indicators include: Log evidence: Check /var/log/auth.log for "Accepted publickey for vmanage-admin" entries from unknown or unauthorized IP addresses Control connection anomalies: Run show control connections detail or show control connections-history detail and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peering Post-compromise artifacts: Unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys/, PermitRootLogin enabled in /etc/ssh/sshd_config, unexplained software downgrades followed by reboots Full IoC lists including C2 server IPs, malware file hashes, and attacker source IPs are available in the Cisco Talos blog. Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch? Yes. CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 have been classified as Vulnerabilities of Interest under Vulnerability Watch due to confirmed active exploitation and the availability of public proof-of-concept code. Tenable has been tracking this cluster of vulnerabilities since the original disclosure in February 2026, with watches re-established as exploitation escalated in March and again in May 2026 when CVE-2026-20182 was disclosed. Has Tenable released product coverage? A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN. Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Author Learn more Research Special Operations The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this han... Read more Cisco Security Advisory: cisco-sa-sdwan-rpa2-v69WY2SW Cisco Talos: SD-WAN Ongoing Exploitation Cisco Talos: UAT-8616 SD-WAN Campaign Tenable blog: CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the Wild Related articles AI SECURITY MAY 14 2026 Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud… By Brinton Taylor CYBER EXPOSURE ALERTS MAY 14 2026 Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel… By Satnam Narang AI SECURITY MAY 13 2026 Securing data centers in the agentic AI era By Bill Olson Exposure Management Vulnerability Management Tenable Attack Surface Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management