Cisco Patches SD-WAN Zero-Day Exploited by UAT-8616 Since May

Cisco has released patches for a new zero-day vulnerability in its Catalyst SD-WAN Controller and Manager products. The flaw, tracked as CVE-2026-20182, allows remote attackers to bypass authentication and obtain administrative privileges through specially crafted packets sent to the peering mechanism. The vulnerability affects the authentication process in these SD-WAN components. Attackers have used it to add SSH keys, alter configurations, and attempt privilege escalation to root level. Cisco became aware of active exploitation in May and attributes the activity to a sophisticated threat actor tracked internally as UAT-8616. The same group previously leveraged a separate SD-WAN flaw to gain unauthorized access. This marks the sixth SD-WAN zero-day exploited in the wild during 2026. Cisco has published indicators of compromise to assist detection efforts. Federal agencies received instructions to apply fixes within three days after the vulnerability was added to the known exploited list.

Attack Activity Observed

The threat actor conducted limited but targeted operations against SD-WAN deployments. Post-compromise steps included attempts to install cryptocurrency miners, credential stealers, backdoors, and webshells. Infrastructure tied to these operations overlaps with relay networks monitored for ongoing malicious traffic. Organizations running the affected SD-WAN versions face direct risk of remote administrative takeover. No widespread campaign has been reported, yet the pattern of repeated exploitation against the same product line indicates sustained interest from capable adversaries.

Patch and Response Guidance

Cisco has made software updates available for both the Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. Administrators should verify the exact version in use and apply the corresponding fix without delay. Network segmentation and strict access controls around management interfaces can limit exposure until patching is complete.

Mitigation Steps for Organizations

Apply the official Cisco patches to all SD-WAN instances immediately. Review recent authentication logs for unusual access attempts and rotate any credentials that may have been exposed. Enable logging for peering and NETCONF activity to improve visibility into future attempts.

Mitigation Steps for Partners and Vendors

Managed service providers should audit customer environments for unpatched SD-WAN deployments and prioritize rollout according to existing service level agreements. Share the published indicators of compromise with clients and test detection rules in security monitoring platforms.

Mitigation Steps for Individuals

Home users and small teams rarely operate enterprise SD-WAN controllers directly, yet anyone managing Cisco devices should confirm firmware versions through official support channels. Install endpoint protection that can detect post-exploitation tools commonly used in these attacks. Malwarebytes offers scanning and real-time protection suited for identifying related malware on connected systems. Cisco continues to track multiple activity clusters targeting SD-WAN infrastructure. Regular review of vendor advisories remains the most direct way to stay ahead of similar issues. Organizations can find additional guidance on secure network device management in the cybersecurity section.