{"id":214233,"date":"2026-05-15T01:28:00","date_gmt":"2026-05-15T05:28:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/15\/cisa-adds-cisco-sd-wan-cve-2026-20182-to-kev-after-admin-access-exploits\/"},"modified":"2026-05-15T04:00:08","modified_gmt":"2026-05-15T08:00:08","slug":"cisa-adds-cisco-sd-wan-cve-2026-20182-to-kev-after-admin-access-exploits-2","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/15\/cisa-adds-cisco-sd-wan-cve-2026-20182-to-kev-after-admin-access-exploits-2\/","title":{"rendered":"CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/cisa-adds-cisco-sd-wan-cve-2026-20182.html\">CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/cisa-adds-cisco-sd-wan-cve-2026-20182.html\">https:\/\/thehackernews.com\/2026\/05\/cisa-adds-cisco-sd-wan-cve-2026-20182.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-15 01:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802May 15, 2026Vulnerability \/ Credential Theft<br \/>\nThe U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026.<br \/>\nThe vulnerability is a critical authentication bypass tracked as CVE-2026-20182. It&#8217;s rated 10.0 on the CVSS scoring system, indicating maximum severity.<br \/>\n&#8220;Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,&#8221; CISA said.<br \/>\nIn a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems.<br \/>\n&#8220;UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,&#8221; Cisco Talos said. &#8220;UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.&#8221;<br \/>\nIt&#8217;s assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026.<br \/>\nThe three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA&#8217;s KEV catalog last month.<\/p>\n<p>The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell has been codenamed XenShell owing to the use of a PoC released by ZeroZenX Labs.<br \/>\nAt least 10 different clusters have been linked to the exploitation of the three flaws &#8211;<\/p>\n<p>Cluster 1 (Active since at least March 6, 2026), which deploys the Godzilla web shell<br \/>\nCluster 2 (Active since at least March 10, 2026), which deploys the Behinder web shell<br \/>\nCluster 3 (Active since at least March 4, 2026), which deploys the XenShell web shell and a variant of Behinder<br \/>\nCluster 4 (Active since at least March 3, 2026), which deploys a variant of the Godzilla webshell<br \/>\nCluster 5 (Active since at least March 13, 2026), which malware agent compiled off the AdaptixC2 red teaming framework<br \/>\nCluster 6 (Active since at least March 5, 2026), which deploys the Sliver command-and-control (C2) framework<br \/>\nCluster 7 (Active since at least March 25, 2026), which deploys an XMRig miner<br \/>\nCluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and Nim-based backdoor that&#8217;s likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information<br \/>\nCluster 9 (Active since at least March 17, 2026), which deploys an XMRig miner and a peer-based proxying and tunneling tool called gsocket<br \/>\nCluster 10 (Active since at least Mar 13, 2026), which deploys a credential stealer that attempts to obtain an admin user&#8217;s hashdump, JSON Web Tokens (JWT) key chunks that are used for REST API authentication, and AWS credentials for vManage<\/p>\n<p>Cisco is recommending that customers follow the guidance and recommendations outlined in the advisories for the aforementioned vulnerabilities to protect their environments.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits https:\/\/thehackernews.com\/2026\/05\/cisa-adds-cisco-sd-wan-cve-2026-20182.html Publish Date: 2026-05-15&#8230;<\/p>\n","protected":false},"author":1,"featured_media":214234,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4XG5z00sF3uL0ZbhtZNiergQ9QVaZJydwP1pXEdPh2o29mwvTS2nPKRbxHftwnEJ1pvxMQS9TQknWqbovk-vW7BRPHUSsBhN4yL2iOwJnlmK7lzCdW9tJbKtKLbnfSZSWgfGlWQ6HO807gjR6dP61VylH1zxWtvfo3c7ui8aBecSjVz5miCG0jHoa8rUA\/s1600\/cisa-exploit.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,32,34,27],"class_list":["post-214233","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214233"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=214233"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214233\/revisions"}],"predecessor-version":[{"id":214236,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214233\/revisions\/214236"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/214234"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=214233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=214233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=214233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}