{ "name": "Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities", "slug": "ongoing-exploitation-of-cisco-catalyst-sd-wan-vulnerabilities", "description": "Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involved in similar attacks. Additionally, multiple threat clusters have been exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026, following public release of proof-of-concept code by ZeroZenX Labs. Post-compromise activities include deployment of various webshells, including XenShell, Godzilla, and Behinder variants, along with cryptocurrency miners, red team frameworks like Sliver and AdaptixC2, and credential stealers. Ten distinct threat clusters have been identified, each utilizing different malicious tooling and infrastructure. Affected systems require immediate patching and security measures.", "published": "2026-05-14T20:10:32.180000+00:00", "created_at": "2026-05-15T18:45:09.442000+00:00", "modified_at": "2026-05-15T16:45:09+00:00", "created_at_opencti": "2026-05-15T18:45:09.442000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "adaptixc2", "authentication bypass", "behinder", "cisco", "credential theft", "cryptocurrency mining", "cve-2026-20122", "cve-2026-20127", "cve-2026-20128", "cve-2026-20133", "cve-2026-20182", "godzilla", "gsocket", "kscan", "nimplant", "sd-wan", "sliver", "webshells", "xenshell", "xmrig" ], "tags": [ "2026-05-14", "CVE-2026-20122", "CVE-2026-20127", "CVE-2026-20128", "CVE-2026-20133", "CVE-2026-20182", "adaptixc2", "authentication bypass", "behinder", "cisco", "credential-theft", "cryptocurrency mining", "godzilla", "gsocket", "kscan", "nimplant", "sd-wan", "sliver", "webshells", "xenshell", "xmrig" ], "related_entities": { "vulnerabilities": [ { "id": "439e8a1a-4f5b-48db-84e8-bebefa6bfc0d", "name": "CVE-2026-20133" }, { "id": "39ca1758-1585-419d-877c-ac29e56d2b6a", "name": "CVE-2026-20127" }, { "id": "bc0949fe-2268-4173-a0b4-e03b68e7975e", "name": "CVE-2025-20333" }, { "id": "1d455674-6340-45a4-a3e1-f1891a2a28c7", "name": "CVE-2025-20362" }, { "id": "c53d3bd7-9628-4bbd-92fe-5391de9c67b0", "name": "CVE-2026-20182" }, { "id": "6e399b1b-30e0-40b6-9777-c7389b0c75e2", "name": "CVE-2026-20122" }, { "id": "63d8dd44-f64e-4df2-868c-c4e13b3c20bd", "name": "CVE-2026-20128" } ], "indicators": [ { "id": "17c96acf-62b9-49d9-ac45-9419ff8d1b31", "name": "96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46" }, { "id": "56c26b48-94dc-45b8-9912-58fa08807b1c", "name": "0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d" }, { "id": "353391d7-fdbe-4238-a06d-10d95166b435", "name": "18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80" }, { "id": "3cf01a54-f6ec-448a-adee-d795fce70d73", "name": "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa" }, { "id": "2461d25f-6997-48bf-8f1d-c4b1a1f915e3", "name": "47.104.248.7" }, { "id": "1641c056-7029-4492-a427-ab4101c0ab70", "name": "http://83.229.126.195:8081/config.json" }, { "id": "b2f3d2b5-c0c9-474c-9452-3e67c78a8e4a", "name": "17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925" }, { "id": "43167f68-00ec-4ece-a26b-c278d0c29c0b", "name": "0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0" }, { "id": "bba82f7b-a4cf-4e81-b750-fb570edb0547", "name": "38.181.52.89" }, { "id": "262445b2-d1b4-4634-a0e4-2033d59189e1", "name": "104.233.156.1" }, { "id": "fe24eec7-7744-46fc-af9e-0a7730da86d4", "name": "1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" }, { "id": "f923dad0-0555-430f-b16b-1c8efc7b36df", "name": "b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3" }, { "id": "422e0863-2943-4b6a-8f05-24730b3b5169", "name": "5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8" }, { "id": "e3138703-a79d-4da2-842c-295ce043d69b", "name": "38.60.214.92" }, { "id": "22ee0df4-9492-4e48-911c-f73d6383fcf9", "name": "02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8" }, { "id": "d2745ef0-a923-4568-855b-05f8a1397d92", "name": "83.229.126.195" }, { "id": "1181adf7-0df8-4633-a61a-b69249da6b9a", "name": "89.125.244.33" }, { "id": "a9687cc9-2152-4273-86b4-b523473970a4", "name": "72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060" }, { "id": "1aade14f-4e51-4488-acc2-d5e7f43f6cd4", "name": "176.65.139.31" }, { "id": "98c50902-e190-4aed-bdbd-4ea29478fc08", "name": "71.80.85.135" }, { "id": "d86981bd-9809-4bbd-93ce-fbf4a93c9a0d", "name": "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" }, { "id": "70585e3e-4dcf-48eb-a63c-c8c7678cfbbc", "name": "89.125.244.51" }, { "id": "00c1783c-839e-4d90-9b7d-84bd9ead6b9c", "name": "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download" }, { "id": "c7e938f1-088d-4387-b746-2d04d9969437", "name": "f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1" }, { "id": "9dfb37be-8096-4735-9442-4477d2b1e0e7", "name": "7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1" }, { "id": "b8b2699a-b606-427f-8653-27b8fdd1e156", "name": "23.27.143.170" } ], "intrusion_sets": [ { "id": "35b1573d-ba0a-4741-8438-92aca7149b84", "name": "UAT-8616", "slug": "uat-8616" } ], "attack_patterns": [ { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "f65930b0-5581-4f3d-a367-a86ac78f407b", "name": "T1021.004" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9", "name": "T1552.001" }, { "id": "beaa4978-0309-438b-a45e-ec566b643811", "name": "T1505.003" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "6d618903-d9f6-4747-aec2-7630f43c1908", "name": "T1496" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "29397576-b3af-4bac-8cab-de3c2ba4b9a0", "name": "T1552.005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" }, { "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0", "name": "T1136" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" } ], "malware": [ { "id": "8eab7986-175c-487c-877d-9433e45041f3", "name": "XenShell", "slug": "xenshell" }, { "id": "6e24d6d5-190d-4425-a63d-51ec0f89528d", "name": "AdaptixC2", "slug": "adaptixc2" }, { "id": "3c76b786-b9fb-4075-9b39-d6029128d94f", "name": "KScan", "slug": "kscan" }, { "id": "c70c9980-18de-4208-93f5-0bd2dddeb40c", "name": "Sliver", "slug": "sliver" }, { "id": "6fe8a03e-7589-46b2-baaa-827e764ae6c3", "name": "Nimplant", "slug": "nimplant" }, { "id": "ffc2f4be-3f03-4d2f-8a51-70c7809adc39", "name": "Behinder", "slug": "behinder" }, { "id": "ee23bef2-3d59-4acb-834a-d0b0bcb30efc", "name": "Godzilla", "slug": "godzilla" }, { "id": "f8f32f39-7be0-41b8-8758-e913d3bd5f92", "name": "XMRig", "slug": "xmrig" }, { "id": "c95a6f1b-272e-4020-8111-aeb2c7ff4904", "name": "gsocket", "slug": "gsocket" } ], "observables": [ { "id": "13e6d09f-1ba4-44d0-ba8d-28340d5b1d2f", "name": "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" }, { "id": "d0d49d06-3b73-4ab1-bbee-1e7d7cdce051", "name": "1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" }, { "id": "7a798731-2e44-474e-9cb9-81ce3f0a108c", "name": "89.125.244.33" }, { "id": "01731411-fc25-4a84-9969-ec2bfeffdba9", "name": "38.60.214.92" }, { "id": "de60caa0-64e5-4875-a8f7-71df6cfd8af4", "name": "104.233.156.1" }, { "id": "de0288d8-e195-4702-bdca-6f19a7143107", "name": "89.125.244.51" }, { "id": "1e14fd74-20a0-49bd-808c-239b70a04908", "name": "83.229.126.195" }, { "id": "d5ba085d-10ce-4db3-93d8-af552e4bca9e", "name": "38.181.52.89" }, { "id": "68034e08-99a8-49f9-a589-9312413b71cc", "name": "71.80.85.135" }, { "id": "741d6e31-37fd-4a70-abe0-8c9b8065d055", "name": "176.65.139.31" }, { "id": "90e893d6-c1e9-49ef-9f5d-ff6f44fe465c", "name": "23.27.143.170" }, { "id": "ee7ca42c-a914-455e-b6cb-1eaead8fd746", "name": "47.104.248.7" }, { "id": "b929947b-0468-45ef-8769-4c5ad74ed5a9", "name": "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download" }, { "id": "c200da50-07bb-4b31-9886-9b051358b42b", "name": "http://83.229.126.195:8081/config.json" }, { "id": "", "name": "96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46" }, { "id": "", "name": "0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d" }, { "id": "", "name": "18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80" }, { "id": "", "name": "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa" }, { "id": "", "name": "17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925" }, { "id": "", "name": "0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0" }, { "id": "", "name": "b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3" }, { "id": "", "name": "5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8" }, { "id": "", "name": "02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8" }, { "id": "", "name": "72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060" }, { "id": "", "name": "f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1" }, { "id": "", "name": "7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1" } ], "others": [ { "id": "", "name": "1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" }, { "id": "", "name": "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" } ] }, "external_refs": [ { "id": "6d2d5071-35c4-4df3-afef-1ea6b9034841", "standard_id": "external-reference--14d61500-7a33-527d-a6e2-ab3343b30af3", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/", "hash": null, "external_id": null, "created": "2026-05-15T18:45:06.151Z", "modified": "2026-05-15T18:45:06.151Z", "createdById": null }, { "id": "3187a04b-bcec-453a-a4eb-2cafd61a1c5b", "standard_id": "external-reference--44b350c9-de98-53dc-8eac-162b15bfba33", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a062c38dfdb5434bb2f0876", "hash": null, "external_id": "6a062c38dfdb5434bb2f0876", "created": "2026-05-15T18:45:06.099Z", "modified": "2026-05-15T18:45:06.099Z", "createdById": null } ] }