INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Ongoing Cisco Catalyst SD-WAN Exploitation

| 2026-05-14 16:02 CRITICAL HIGH
Executive Summary AI-generated
The incident data suggests a sophisticated threat actor is exploiting vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager systems, allowing them to bypass authentication and gain administrative privileges on affected systems. This activity has been limited so far but is expected to continue as new threats emerge. The attackers are targeting specific CVEs (vulnerabilities) such as CVE-2026-20182, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, which have been previously disclosed by Talos. These vulnerabilities were identified in March 2026 but have since been exploited by the same threat actor, indicating a continuous threat landscape. The attackers are also targeting Cisco Catalyst SD-WAN systems that have not received patches or updates, highlighting the importance of timely patching and security awareness among users and administrators.
Technical Mitigations AI-generated
• Patch and Upgrade: Customers should upgrade to the latest software updates and security advisory addressing vulnerabilities CVE-2026-20182, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 as soon as possible. • Implement Access Controls: Organizations should implement robust access controls, including multi-factor authentication, to prevent unauthorized access to affected systems. • Monitor for In-the-Wild Exploitation: Customers are advised to monitor their SD-WAN infrastructure closely for in-the-wild exploitation of vulnerabilities CVE-2026-20182 and other similar vulnerabilities.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Cobalt StrikeCobalt Strike CVE-2022-20775CVE-2022-20775 CVE-2026-20122CVE-2026-20122 CVE-2026-20182CVE-2026-20182 CVE-2026-20128CVE-2026-20128 CVE-2026-20127CVE-2026-20127 CVE-2026-20133CVE-2026-20133
Target & Sectors
NORTH_AMERICA NORTH_AMERICA FIVE_EYES FIVE_EYES technologytechnology
Incident Timeline
‎February 2026
The Cisco software updates and security advisory were released in February 2026.
‎February 2026
Threat actors exploited a previously unknown vulnerability in Cisco's SD-WAN software.
‎March 3, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 3, 2026
The cluster of Cisco SD-WAN devices was actively exploiting a zero-day vulnerability (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) as of at least March 3, 2026.
vulnerability CVE-2026-20133
vulnerability CVE-2026-20128
vulnerability CVE-2026-20122
general_metric 4 Cluster
‎March 4, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 4, 2026
The cluster of Cisco SD-WAN devices was actively exploiting a zero-day vulnerability (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) as of at least March 4, 2026.
vulnerability CVE-2026-20133
vulnerability CVE-2026-20128
vulnerability CVE-2026-20122
general_metric 3 Cluster
‎March 5, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 5, 2026
Threat actors exploited a critical Cisco SD-WAN bug to target an IP address hosted on two Mythic C2 servers.
malware Sliver
observable fece5b954e69b2c6a8d0a1029631a0d7
organisation CWan
general_metric 31337 port
general_metric 22 port
infrastructure 6 server Cluster
‎March 6, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 6, 2026
The cluster was actively exploiting the CVE-2026-20133 vulnerability in Cisco SD-WAN products since at least March 6, 2026.
vulnerability CVE-2026-20133
vulnerability CVE-2026-20128
vulnerability CVE-2026-20122
general_metric 1 Cluster
‎March 10, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 10, 2026
The cluster was actively exploiting the CVE-2026-20133 vulnerability in Cisco SD-WAN from at least March 10, 2026.
vulnerability CVE-2026-20133
vulnerability CVE-2026-20128
vulnerability CVE-2026-20122
general_metric 2 Cluster
‎as early as March 10, 2026
Threat actors exploited a critical Cisco SD-WAN bug in Cluster 8, targeting the cluster as early as March 10, 2026.
general_metric 8 Attacker
‎Mar 13, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎March 13, 2026
Talos detected the deployment of an AdaptixC2 malware agent on March 13, 2026.
general_metric 5 AdaptixC2
‎March 17, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 17, 2026
Threat actors exploited a critical Cisco SD-WAN bug in zero-day attacks targeting at least Cluster 9 since at least March 17, 2026.
general_metric 9 gsocket
‎March 25, 2026
Threat actors exploited a previously unknown critical Cisco SD-WAN bug in zero-day attacks.
‎at least March 25, 2026
Threat actors exploited a critical Cisco SD-WAN bug in zero-day attacks targeting at least Cluster 7 since at least March 25, 2026.
general_metric 7 XMRig
‎March 28, 2026
Threat actors exploited a critical Cisco SD-WAN bug in zero-day attacks using the "Sliver" adversarial emulation framework.
malware Sliver
observable fece5b954e69b2c6a8d0a1029631a0d7
organisation CWan
general_metric 31337 port
general_metric 22 port
infrastructure 6 server Cluster
‎March 2026
Threat actors exploited CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 vulnerabilities in Cisco SD-WAN to deploy webshells and other malicious tooling.
vulnerability CVE-2026-20133
vulnerability CVE-2026-20128
vulnerability CVE-2026-20122
‎March to April 2026
Threat actors exploited a previously unknown vulnerability in Cisco SD-WAN systems from March to April 2026.
‎2026/05/14
Threat actors exploited a critical Cisco SD-WAN bug in zero-day attacks.
‎2026/02/10T22:51:36+
Threat actors exploited a critical Cisco SD-WAN bug in zero-day attacks by using the "Accepted publickey for vmanage-admin" message to gain unauthorized access via SSH.
observable auth.log
‎2026/05/14
Threat actors exploited a critical Cisco SD-WAN bug in zero-day attacks, allowing them to gain administrative privileges on affected systems.
organisation SD-WAN vSmart
organisation SD-WAN vManage
organisation ITW
organisation Security Advisory
organisation CVSS
organisation Breaks a Pen Test Organizations
organisation Catalyst SD-WAN Controller
organisation Cisco Catalyst SD-WAN
organisation Cisco Catalyst SD-WAN Controller
organisation SD-WAN Cloud
organisation Cisco CVE-2026-20182
infrastructure 1.1.1
infrastructure 192.168.3
organisation SD-WAN
organisation CVE-2026
organisation DTLS
organisation SSH
financial 1 Cluster
financial 10 Cluster
organisation Cisco Security Advisory
organisation CVE-202128
organisation ClamAV
financial 66469 Snort SIDs
financial 66462 Snort SIDs
organisation CVE
organisation UAT-8616
organisation Cisco SD-WAN
organisation UDP
infrastructure 7 IP Cluster
infrastructure 8 based Download URL
infrastructure 00 download
organisation the Common Vulnerability Scoring System
organisation JWT
organisation API
organisation Token
organisation JSP
organisation XenShell
organisation NETCONF
organisation ORB
organisation TAC
organisation the Recommendations and Detection Guidance
organisation JavaServer Pages
organisation IPs
organisation AES
organisation IP
organisation TCP
organisation VPS
organisation Nim
organisation RSA
organisation Nimplant
organisation the Global Socket Relay Network
organisation GSRN
financial 2 Cluster
financial 3 Cluster
financial 4 Cluster
data_breach 16 byte
organisation CVE-2022
organisation the Catalyst Controller
infrastructure Linux
organisation Maximum Severity Cisco SD-WAN Bug Exploited
organisation McKee
organisation Cisco Talos
organisation Catalyst
organisation Controller
organisation vHub
organisation Critical Infrastructure
organisation CI
organisation KEY
organisation the Cisco Catalyst SD-WAN
organisation UI
organisation SD-WAN Controller
‎May 17, 2026
Threat actors exploited the Cisco CVE-2026-20182 critical vulnerability in zero-day attacks.
vulnerability CVE-2026-20182
tactic T1588.006 - Vulnerabilities
‎May 2026
Threat actors exploited a previously unknown vulnerability in Cisco's SD-WAN software.
Tactical Metrics
Metrics
financial
1
Cluster
Metrics
financial
10
Cluster
Metrics
infrastructure
6
Server Cluster
Metrics
financial
66,469
Snort Sids
Metrics
financial
66,462
Snort Sids
Metrics
infrastructure
7
Ip Cluster
Metrics
infrastructure
8
Based Download Url
Metrics
infrastructure
0
Download
Metrics
financial
2
Cluster
Metrics
financial
3
Cluster
Metrics
financial
4
Cluster
Metrics
data_breach
16
Byte
Metrics
infrastructure
‎Linux
Affected Product
Metrics
infrastructure
‎1.1.1
Software Version
Metrics
infrastructure
‎192.168.3
Software Version