Emerging ThreatsMalware & Ransomware

Cisco Zero-Day Exploited in Ongoing Attacks by Persistent Threat Group

Analyst 207||Source: CyberScoop
Network equipment and router setup in operations room with city view.

"behaves like a master key," Douglas McKee wrote — a concise description for a vulnerability that can hand an attacker the highest administrative access to a network controller. Cisco customers and national cyber authorities are now racing to contain exploitation of a max-severity zero-day — CVE-2026-20182 — that targets the Cisco Catalyst SD-WAN Controller and Manager.

What CVE-2026-20182 does and why it matters

CVE-2026-20182 is an authentication-bypass vulnerability with a CVSS score of 10. According to Rapid7, an attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without proper validation, obtain the highest level of administrative access. Jonah Burgess, senior security researcher at Rapid7, told CyberScoop the flaw requires no credentials or prior knowledge of the target environment for exploitation and affects all deployment types, including on-premises, cloud, and FedRAMP environments.

The SD-WAN Controller manages routing and policy for the entire overlay network, so Rapid7 warned a single compromised controller can potentially give an attacker influence over every branch, data center, and cloud edge connected to that fabric. Douglas McKee highlighted the potential impact: once an attacker controls the controller they can reroute traffic, intercept communications, push malicious configurations, or break connectivity across the whole organization.

Who is exploiting it and how this links to prior campaigns

Cisco Talos attributed the active exploitation to a persistent threat group labeled UAT-8616, the same actor Talos linked to earlier zero-days in Cisco’s network edge software. Talos also warned that UAT-8616 and at least 10 other threat groups have chained together and achieved widespread in-the-wild active exploitation of three previously disclosed vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure — vulnerabilities Cisco patched in February (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133).

Rapid7 said it discovered CVE-2026-20182 while researching a prior zero-day, CVE-2026-20127, which the Five Eyes had identified and confirmed as actively exploited by UAT-8616 in late 2025. Cisco Talos described the earlier activity as ongoing for at least three years before discovery, and the current advisory links this new zero-day to that prolonged campaign.

Disclosure timeline and official response

Rapid7 reported CVE-2026-20182 to Cisco on March 9. Cisco said it became aware of limited exploitation earlier this month; the vendor disclosed and released a patch Thursday. The Cybersecurity and Infrastructure Security Agency (CISA) quickly added CVE-2026-20182 to its known exploited vulnerabilities catalog. Cisco did not explain what occurred during the two-month window between Rapid7’s report and public disclosure.

Authorities and Cisco have faced criticism in previous incidents for delayed public action: the source notes that past campaigns prompted CISA emergency directives months after attacks were first detected and that the earlier campaigns ran for at least a year before discovery. Cisco Talos once again declined to answer questions about the origins or motivations of UAT-8616. A Cisco spokesperson urged customers to apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog.

How technologists, policymakers, and affected enterprises are likely to respond

  • Technologists and security teams: They will need to prioritize deployment of Cisco’s fixed software releases and follow advisory guidance. Rapid7’s researchers emphasize that the central role of the controller means patching and validation are critical because one compromised controller can affect an entire overlay network.
  • Policymakers and regulators: With CISA adding this defect to its known exploited vulnerabilities catalog and having added seven Cisco-related vulnerabilities in less than three months, regulators will be watching whether transit from discovery to patching and public guidance shortens, and whether emergency directives or further catalog additions become necessary.
  • Affected enterprises and procurement leaders: Organizations that run Cisco Catalyst SD-WAN Controller and Manager — across on-premises, cloud, and FedRAMP deployments — must assume a single point of catastrophic leverage exists in the controller architecture and act accordingly: apply patches, validate configurations, and follow vendor advisories to limit exposure.

The technical and institutional facts converge on a stark point: the architecture that gives defenders scale and simplicity can also create a single point of catastrophic leverage. Cisco has released a patch and CISA has added CVE-2026-20182 to its catalog, but the episode leaves two tangible questions unanswered in the record published so far: how exploitation was detected and limited, and why a two-month window elapsed between Rapid7’s report and public remediation. For organizations running affected controllers, the immediate task is clear — apply the available fixes and follow the published guidance.

Original reporting: https://cyberscoop.com/cisco-sd-wan-zero-day-exploited/

Authentication BypassCiscoEmerging ThreatsNation-StateVulnerability ManagementZero-DaySD-WANPersistent ThreatCVE-2026-20182
Related Intelligence

Continue Reading

Hotel staff room with laptop on desk showing suspicious email on blurred screen.

Hackers Exploit Blockchain to Target Japan Hotels via Phishing

TrendAI Research uncovered a sneaky phishing campaign in late May 2026 that targeted hotel staff in Japan, cleverly disguising emails as guest complaints or review requests to trick employees into divulging sensitive info. The attackers stayed one step ahead, constantly updating their tactics to maximize their success.

Analyst 207
Industrial setting with disrupted computer screens and muted colors.

Blackfield Ransomware Targets Nidec with $2 Million Extortion Demand

Nidec Corporation revealed that its Taiwanese subsidiary was hit by a Blackfield ransomware attack, prompting swift emergency measures to contain the breach and prevent further damage. The hackers are now demanding a whopping $2 million in extortion, threatening to leak sensitive data if their demands aren't met.

Analyst 207
Hospital corridor with staff walking in distance and computer equipment in background.

UK Healthcare Sector Faces Surge in Cyber-Attacks

The UK healthcare sector is under siege, facing a staggering tenfold surge in cyber-attacks with 264,000 intrusion events recorded in just the first five months of 2026. This alarming rise has left health networks being “stress-tested to breaking point.”

Analyst 207
Laptop screen displays colorful webpage in brightly-lit coffee shop setting.

AI Browsers Exposed to Credential-Leaking BioShocking Attack

A shocking new attack has been discovered that can trick AI browsers and assistants into leaking sensitive user credentials, with six popular agents already proven vulnerable. This sneaky tactic, called BioShocking, uses a clever game-like approach to bypass safety protocols and get agents to cough up personal info.

Analyst 207