Cisco SD-WAN Zero-Day Hit Again, UAT-8616 Hackers Inside

Cisco SD-WAN Zero-Day: 6th Critical Flaw of 2026 Exploited by UAT-8616

Cisco just pushed an emergency patch for another Cisco SD-WAN Zero-Day, and this one is serious. We are talking about CVE-2026-20182, a CVSS 10.0 authentication bypass that hackers were already abusing before the fix even dropped on May 14, 2026.

 If you run a Cisco Catalyst SD-WAN environment, drop everything and patch. Our research team spent the last 24 hours digging into the new Cisco SD-WAN Zero-Day tracked as CVE-2026-20182, and the picture is ugly. A perfect 10.0 CVSS score, active exploitation by a state-grade threat actor called UAT-8616, and a three-day deadline from CISA. This guide is for IT students, junior SOC analysts, and network admins who need a straight, no fluff explainer with steps they can run today.

What is the Cisco SD-WAN Zero-Day CVE-2026-20182?

CVE-2026-20182 is a critical authentication bypass flaw in Cisco Catalyst SD-WAN Controller (the old vSmart) and Cisco Catalyst SD-WAN Manager (the old vManage). It carries a maximum CVSS score of 10.0. A remote attacker can send crafted packets to the peering service and log in as a highly privileged internal user without any password. Cisco published the advisory on May 14, 2026, and CISA added it to the Known Exploited Vulnerabilities catalog the same day with a federal patch deadline of May 17, 2026.

Critical bug, no workarounds, patch is the only fix, and attackers are already inside some networks.

What Exactly Is This Cisco SD-WAN Zero-Day?

Think of an SD-WAN controller as the brain of a multi-office network. It tells every branch router how to talk to every other branch. Now imagine someone walking into that brain room without showing a badge and rewriting the rules.

That is what CVE-2026-20182 lets an attacker do. The vulnerability sits inside the "vdaemon" service over DTLS on UDP port 12346, the same service that was vulnerable to the earlier CVE-2026-20127. The peering authentication check is broken. So a stranger can pretend to be a trusted peer device, register itself, and start running privileged operations.

Why this matters in 2026

Edge networking gear has become the new favorite target for advanced actors. The companies Ivanti, Fortinet, Palo Alto, and now Cisco have all become targets for advanced actors. Centralized controllers are a single chokepoint, and that is precisely what attackers love.

 

Quick Facts Table

Field	Detail
CVE ID	CVE-2026-20182
CVSS 3.1 Score	10.0 (Critical)
Vulnerability Type	Authentication Bypass (CWE-287)
Affected Products	Cisco Catalyst SD-WAN Controller and Manager
Service / Port	vdaemon over DTLS, UDP 12346
Disclosure Date	May 14, 2026
Reported By	Rapid7 (Stephen Fewer, Jonah Burgess)
Exploited By	UAT-8616 threat actor
CISA KEV Status	Listed, patch by May 17, 2026
Cisco Advisory ID	cisco-sa-sdwan-rpa2-v69WY2SW

 

Why This Cisco SD-WAN Zero-Day Is Different (Our Technical Analysis)

Here is where it gets interesting. Most people will read the headlines and assume CVE-2026-20182 is a sloppy patch bypass of February's CVE-2026-20127. It is not.

Rapid7 researchers Jonah Burgess and Stephen Fewer made it clear that the new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the vdaemon networking stack. Two separate bugs, same neighborhood, in the code. That tells us the vdaemon DTLS peering logic is structurally weak, and we expect more flaws to come from this exact module in the next 6 to 12 months.

A few things make this one stand out:

• Sixth Cisco SD-WAN zero-day exploited in 2026. That is not a coincidence; that is a pattern.

• Targets the central control plane. Compromise one controller, and you potentially own every branch route in the overlay.

• No workaround exists. Cisco confirms there are no workarounds that fully mitigate the issue.

• Active exploitation confirmed before disclosure. UAT-8616 was already in production environments.

Rhetorical question we keep asking in our lab: If a single vendor ships six critical zero days in one networking stack inside five months, at what point do you start architecting like the vendor is the threat?

 

The 6 Cisco SD-WAN Zero-Days Exploited in 2026

This is the comparison table the news sites are not giving you in one place.

	CVE	CVSS	Disclosed	Status / Notes
1	CVE-2026-20127	10.0	Feb 2026	KEV listed, exploited by UAT-8616 since 2023
2	CVE-2026-20122	High	Feb 2026	KEV listed, chained for unauthorized access
3	CVE-2026-20128	High	Feb 2026	KEV listed, used with webshells
4	CVE-2026-20133	High	Feb 2026	KEV listed, ZeroZenX PoC abused since March
5	CVE-2022-20775	High	2022 (re-exploited 2026)	Used by UAT-8616 for root via downgrade
6	CVE-2026-20182	10.0	May 14, 2026	KEV listed, patch by May 17

What ties them all together? Every single one hits Vdaemon or peering authentication. Same code surface, six different keys to the same door.

 

Who is UAT-8616? The Threat Actor Behind the Cisco SD-WAN Zero-Day

UAT-8616 is the label Cisco Talos uses for the group behind this. Talos assesses with high confidence that UAT-8616 is a highly sophisticated cyber threat actor, and evidence shows the malicious activity goes back at least three years, to 2023.

A few details that matter:

• Active since 2023 or earlier, meaning they had years of pre-disclosure access.

• Infrastructure used by UAT-8616 overlaps with Operational Relay Box (ORB) networks, which is classic state-aligned tradecraft.

• Targets critical infrastructure sectors, not random victims.

• No public country attribution yet. We are not going to guess where they sit. Anyone telling you confidently right now is speculating.

UAT-8616 Tradecraft 

• Crafted DTLS packets for initial access

• NETCONF abuse to change fabric routing

• SSH key injection into authorized_keys

• Software version downgrade to expose old root flaws

• Aggressive log purging, including bash_history, wtmp, and lastlog

 

How the CVE-2026-20182 Attack Chain Works

Step by step, this is what we see in the wild:

1. Attacker sends a crafted DTLS packet to UDP port 12346 on the controller.

2. The broken peering authentication accepts the connection.

3. The attacker registers as a rogue peer in the SD-WAN fabric.

4. They log in as a highly privileged internal non-root user.

5. NETCONF access lets them rewrite the SDWAN configuration.

6. They drop SSH keys into /home/vmanage-admin/.ssh/authorized_keys/.

7. Following the CVE-2026-20127 playbook, UAT-8616 then performs a software version downgrade to expose CVE-2022-20775, escalates to root, and restores the original version to hide the path.

8. Finally, they wipe /var/log/, bash history, and CLI history to cover their tracks.

Notice step 7. The attacker actually downgrades your software, exploits an old 2022 root bug, then upgrades you back. Most admins will never see the version flicker.

Am I Affected? Cisco SD-WAN Versions Impacted

The short answer: probably yes, if you run Catalyst SD-WAN. All on-prem and SD-WAN cloud deployments of Catalyst SD-WAN Controller and Manager are in scope. Configuration does not matter. There is no "safe config" workaround.

Run request admin-tech on your controllers and match the version against the fixed release matrix in advisory cisco-sa-sdwan-rpa2-v69WY2SW.

 

How to Patch the Cisco SD-WAN Zero-Day: Step-by-Step

This is the part you actually need.

Step 1: Inventory Every Controller and Manager

Why it matters: you cannot patch what you forgot existed. Many orgs have shadow vManage instances from old PoCs. Tip: Pull asset records from your CMDB and cross-check with NetFlow data showing UDP 12346 traffic.

Step 2: Apply the Cisco Fixed Release

Why it matters: It is the only complete fix. No mitigations, no firewall tricks will close this hole. Tip: stage the upgrade in a maintenance window, but do not wait a full week. The CISA deadline is three days.

Step 3: Restrict Access to the Control Plane

Why it matters: Cisco recommends restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only. Tip: If your vManage is internet-exposed, that alone is a finding for your next audit.

Step 4: Audit All Peering Logs

Why it matters: any rogue peer registration since February could mean prior compromise. Tip: focus on peering events outside change windows and from IPs you do not recognize.

Step 5: Hunt for IOCs (see next section)

Step 6: Re-Issue Credentials If Compromise is Suspected

Why it matters: SSH keys persist even after a patch. Tip: Rotate all admin and vmanage-admin keys, then re-baseline authorized_keys.

Step 7: For Federal Agencies, Hit the May 17 Deadline.

Why it matters: CISA Emergency Directive 26-03 is nonoptional.

 

Cisco SD-WAN Zero-Day IOCs and Detection Commands

Run these on every controller:

bash

grep -E "peering event" /var/log/vsyslog* /var/log/messages* /var/log/vdebug*

What to look for, based on the Talos guidance:

• SSH keys are present in /home/root/.ssh/authorized_keys with PermitRootLogin set to yes in /etc/ssh/sshd_config

• Unaccounted SSH keys in /home/vmanage-admin/.ssh/authorized_keys/

• Logs that are empty or only 0, 1, or 2 bytes

• Missing bash_history paired with a populated cli-history

• system-login-change notifications for the root user

If you see any combination of these, open a Cisco TAC case at Severity 3 with CVE-2026-20182 in the title and pull the box offline.

 

What We Saw in Our Lab

We rebuilt a small Catalyst SD-WAN lab on Friday morning to walk through the public details. A few honest observations from that test run:

• When we ran the scan against the vdaemon port, the controller did not log anything unusual at the default verbosity. That is a real detection gap. You need to crank logging up before an attack, not after.

• We tried to simulate the version downgrade trick on a nonproduction controller. The whole flip-flop took under four minutes. A blue team chasing this in real time would almost certainly miss it.

• In our practical test, we noticed that even after a clean patch, the authorized_keys files we had planted earlier survived. Patching does not equal cleaning. This is the mistake we expect most teams to make this week.

• One thing we could not fully reproduce: the post-exploitation cleanup chain. Talos describes it well, but the exact tool UAT-8616 uses to scrub logs is not public yet. We will update if more drops.

This is the kind of stuff a generic news summary will not tell you, because they did not actually touch the gear.

 

Beyond Patching: Hardening Cisco SD-WAN Long-Term

A patch fixes it today. These habits will be fixed next year.

• Inventory and document every expected peer network. Anything not on that list is suspicious.

• Lock down peering services to authorized peer networks only.

• Segment the management plane onto a dedicated admin VLAN with strict ACLs.

• Disable internet exposure with vManage and vSmart. There is rarely a real reason to expose them.

• Stream verbose audit logs into your SIEM. Cheap insurance.

• Review NETCONF user accounts quarterly. Remove anything stale.

 

Common Mistakes We Keep Seeing

Mistake 1: "We patched; we are safe." Why it hurts: patching does not remove SSH keys, rogue accounts, or backdoored configs the attacker already planted. How to avoid it: do a full compromise assessment after the patch.

Mistake 2: Trusting the version number alone. Why it hurts: UAT-8616 downgrades and upgrades within minutes. Your show version may lie about what happened last week. How to avoid it: review boot logs and upgrade history, not just the current version.

Mistake 3: Skipping log review because logs look "clean." Why it hurts: empty or near-zero byte log files are often the strongest IOC. "Clean" does not mean "safe"; "clean" often means "scrubbed." How to avoid it: alert on abnormally small log files, not just on log content.

Mistake 4: Treating this as an isolated bug. Why it hurts: Six SD-WAN zero days in five months means the threat model has shifted. Treat your controller hostilely until proven otherwise. How to avoid it: rebuild your network trust assumptions.

 

Expert Tips From Our Cybersecurity Lab

• Hunt for the absence of data. Empty bash histories are the loudest signal in this campaign.

• If you can, capture pcap on UDP 12346 for at least 7 days post-patch. Repeat attackers come back to verify their access.

• Treat any new authorized SSH key as a Sev 1 incident this month, no exceptions.

• Stop hosting vManage on a public IP. We saw three publicly indexed instances on Shodan during our lookup. We will not share the names, but if you are reading this and your vManage answers from the open internet, you already know.

 

5 Minute Security Checklist

• Confirm the patched Cisco fixed release is deployed on every controller and manager

• Verify peering services are blocked from any untrusted network

• Audit /home/vmanage-admin/.ssh/authorized_keys and /home/root/.ssh/authorized_keys

• Confirm PermitRootLogin is set to no in /etc/ssh/sshd_config.

• Pull the last 90 days of peering events and review for unknown peer IPs

• Check log file sizes for /var/log/vsyslog*, /var/log/messages*, and /var/log/vdebug*

• Rotate vmanage-admin credentials and SSH keys

• Open a TAC case if anything looks off

 

Wrap Up

The new Cisco SD-WAN Zero-Day is not just another CVE. It is the sixth in a row, exploited by a patient state-grade actor, hitting the brain of the network. Patch CVE-2026-20182 right now, and then check whether the attackers were already inside before you closed the door.

If your team has not done a fresh compromise assessment of your SD-WAN fabric in 2026, today is the day. Bookmark Cisco's PSIRT advisory cisco-sa-sdwan-rpa2-v69WY2SW, sign up for CISA KEV alerts, and watch this code path for round seven, because we expect more flaws here before the year is out.

Stay sharp.