CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

First reported
Last updated
4 unique sources, 9 articles

Summary

Hide ▲

A critical authentication bypass vulnerability (CVE-2026-20182) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited in the wild, enabling unauthenticated remote attackers to bypass authentication and obtain administrative privileges. The flaw stems from a malfunction in the peering authentication mechanism within the 'vdaemon' service and impacts all deployment models. CVE-2026-20182 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, mandating federal patching by May 17, 2026. Cisco has attributed exploitation with high confidence to UAT-8616, the same cluster responsible for weaponizing CVE-2026-20127 since at least 2023. The threat actor leverages the flaw for post-compromise actions, including adding SSH keys, modifying NETCONF configurations, and attempting to escalate to root privileges. Infrastructure overlaps with Operational Relay Box (ORB) networks, commonly linked to Chinese state-sponsored actors. Threat actors have chained CVE-2026-20182 with CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to enable unauthorized access, deploying web shells, malware frameworks, and tools such as Godzilla, Behinder, XenShell, and credential stealers. Cisco recommends immediate updates, restricting access to management interfaces, and monitoring for indicators of compromise.

Timeline

  1. 05.03.2026 12:32 6 articles · 2mo ago

    Cisco flags additional SD-WAN flaws as actively exploited

    Clarifies that CVE-2026-20182 allows unauthenticated attackers to impersonate hub routers (vHub) in cloud deployments to gain administrative privileges, and that the UAT-8616 threat actor has performed post-compromise actions such as adding SSH keys, modifying NETCONF configurations, and escalating to root. Also confirms attribution of UAT-8616 to activity overlapping with Operational Relay Box (ORB) networks, commonly linked to Chinese state-sponsored threat actors. Cisco’s advisory and CISA’s addition of CVE-2026-20182 to the Known Exploited Vulnerabilities Catalog elevate urgency for patching by May 17, 2026.

    Show sources
    Open in new tab
  2. 25.02.2026 20:01 7 articles · 2mo ago

    Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023

    Adds confirmation that CISA added CVE-2026-20182 to the Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, mandating Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. Reinforces that Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 since at least 2023, and notes post-compromise actions such as adding SSH keys, modifying NETCONF configurations, and attempting to escalate to root privileges. Confirms overlap of UAT-8616 infrastructure with Operational Relay Box (ORB) networks and details the chaining of CVE-2026-20182 with CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to enable unauthorized access. Describes the deployment of web shells and malware frameworks such as Godzilla, Behinder, XenShell, AdaptixC2, Sliver, XMRig, KScan, and credential stealers by at least 10 different threat clusters.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of PAN-OS RCE zero-day CVE-2026-0300 via User-ID Authentication Portal

State-sponsored threat actors tracked as CL-STA-1132 exploited the critical PAN-OS firewall zero-day CVE-2026-0300 since at least April 9, 2026, achieving initial unauthenticated remote code execution by April 16–17, 2026. The vulnerability, a buffer overflow in the User-ID Authentication Portal service, enabled root-level arbitrary code execution on exposed PA-Series and VM-Series firewalls. Attackers injected shellcode into nginx worker processes and immediately began erasing forensic artifacts, including crash kernel messages and nginx records, to evade detection. Post-compromise activity included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tunneling tools on April 29, 2026, targeting additional network devices. The adversary’s use of open-source tools and disciplined, intermittent operational sessions over weeks minimized signature-based detection while maintaining stealth. Over 5,400 PAN-OS VM-Series firewalls remain exposed on the internet, predominantly in Asia and North America. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog on May 7, 2026, mandating federal remediation by May 9, 2026. Palo Alto Networks released initial patches for CVE-2026-0300 on May 14, 2026.

Open in new tab

Critical Cisco Identity and Webex services vulnerabilities patched; code execution and user impersonation risks resolved

Cisco has released patches addressing four critical vulnerabilities (CVSS 9.8–9.9) in Identity Services Engine (ISE) and Webex Services. The flaws include improper certificate validation in Webex SSO integration (CVE-2026-20184) enabling unauthenticated remote attackers to impersonate any user and gain unauthorized access to Webex services, and insufficient input validation in ISE (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186) allowing authenticated remote code execution and command injection with potential root access. CVE-2026-20184 requires customer action—uploading a new SAML certificate for the identity provider (IdP) to Control Hub—to avoid service interruption. Successful exploitation of ISE vulnerabilities could render single-node ISE deployments unavailable, causing a denial of service. As of publication, Cisco PSIRT has no evidence of active exploitation in attacks.

Open in new tab

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

CVE-2025-53521, initially disclosed as a DoS flaw in October 2025, has been reclassified as a critical RCE vulnerability (CVSS 9.8) following new exploitation activity in March 2026. Threat actors are actively exploiting the flaw by sending malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to deploy webshells and other payloads. F5 has confirmed exploitation in the wild and published IOCs, while CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days. Multiple actors are probing F5 infrastructure, with observed payload deviations and scanning targeting REST API endpoints. Shadowserver tracks over 240,000 exposed BIG-IP instances, and the NCSC has urged immediate patching in the UK due to confirmed exploitation activity. The flaw affects BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1. Fixed versions (15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3) are available, and F5 recommends forensic best practices including system rebuilding due to potential persistent malware in UCS backups.

Open in new tab

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment. On May 9, 2026, TeamPCP published a malicious version of the Checkmarx Jenkins AST plugin (2.0.13-829.vc72453fa_1c16) to the Jenkins Marketplace, defacing the plugin’s GitHub repository with pro-TeamPCP messaging. The compromise was facilitated using credentials stolen in the March 2026 Trivy supply-chain attack and occurred outside the plugin’s official release pipeline, lacking a git tag or GitHub release. Checkmarx isolated its GitHub repositories from customer environments and stated no customer data was stored in them. Users are advised to use version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025, or older.

Open in new tab

Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. Cisco issued its first advisory for CVE-2026-20131 on March 4, 2026, and Amazon Threat Intelligence confirmed active exploitation by Interlock starting in late January. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch by March 22, 2026, under BOD 22-01. Post-exploitation tooling includes custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are leveraged for ransomware operations and secondary monetization. AWS’s detailed analysis reveals additional post-exploitation components such as a memory-resident backdoor intercepting HTTP requests, Volatility for RAM credential parsing, and Certify for Active Directory Certificate Services misconfiguration exploitation.

Open in new tab