Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Essential information
- Published
- 14/05/2026 22:10
- Modified
- 15/05/2026 18:45
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- adaptixc2 authentication bypass behinder cisco credential theft cryptocurrency mining cve-2026-20122 cve-2026-20127 cve-2026-20128 cve-2026-20133 cve-2026-20182 godzilla gsocket kscan nimplant sd-wan sliver webshells xenshell xmrig
- Tags
- 2026-05-14 CVE-2026-20122 CVE-2026-20127 CVE-2026-20128 CVE-2026-20133 CVE-2026-20182 adaptixc2 authentication bypass behinder cisco credential-theft cryptocurrency mining godzilla gsocket kscan nimplant sd-wan sliver webshells xenshell xmrig
- Related entities
- 7 vulnerabilities (cve), 26 indicators, 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 9 malware, 2 others
Description
Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involved in similar attacks. Additionally, multiple threat clusters have been exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026, following public release of proof-of-concept code by ZeroZenX Labs. Post-compromise activities include deployment of various webshells, including XenShell, Godzilla, and Behinder variants, along with cryptocurrency miners, red team frameworks like Sliver and AdaptixC2, and credential stealers. Ten distinct threat clusters have been identified, each utilizing different malicious tooling and infrastructure. Affected systems require immediate patching and security measures.