Cisco SD-WAN local privilege escalation (UAT-8616 version-downgrade re-exploitation technique)

External references

NVD · cve.org · CISA KEV

All cited sources (81)

• blog.talosintelligence.comprimaryinlineTalos UAT-8616 blog, 2026-02-25https://blog.talosintelligence.com/uat-8616-sd-wan/
  source profile · cited in 2026-06-16, 2026-05-15
• blog.talosintelligence.comprimaryinlineCisco Talos, 2026-05-05https://blog.talosintelligence.com/cloudz-pheno-infostealer/
  source profile · cited in 2026-05-07
• blog.talosintelligence.comprimaryinlineCisco Talos — DICOM / Orthanc heap analysishttps://blog.talosintelligence.com/dicom-pydicom-gdcm-and-orthanc-a-technical-tour-of-what-really-happens-in-the-heap/
  source profile · cited in 2026-W22, 2026-05-31
• blog.talosintelligence.comprimaryinlineCisco Taloshttps://blog.talosintelligence.com/from-pdb-strings-to-maas-tracking-a-commodity-badiis-ecosystem/
  source profile · cited in 2026-05-20
• blog.talosintelligence.comprimaryinlinefield guide to Windows COM abusehttps://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/
  source profile · cited in 2026-W26, 2026-06-28
• blog.talosintelligence.comprimaryinlineCisco Talos UAT-8616https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
  source profile · cited in 2026-W20, 2026-05-15
• blog.talosintelligence.comprimaryinlineCisco Talos — UAT-8302https://blog.talosintelligence.com/uat-8302/
  source profile · cited in 2026-W19, 2026-05-14, 2026-05-06
• attack.mitre.orginlineT1190 Exploit Public-Facing Applicationhttps://attack.mitre.org/techniques/T1190/
  cited in 2026-W19, 2026-06-16, 2026-05-15, 2026-05-10
• attack.mitre.orginlineT1098.004 Account Manipulation: SSH Authorized Keyshttps://attack.mitre.org/techniques/T1098/004/
  cited in 2026-05-15
• attack.mitre.orginlineT1021.004 Remote Services: SSHhttps://attack.mitre.org/techniques/T1021/004/
  cited in 2026-05-15
• attack.mitre.orginlineT1562.001 Impair Defenses: Disable or Modify Toolshttps://attack.mitre.org/techniques/T1562/001/
  cited in 2026-05-15
• attack.mitre.orginlineT1068 Exploitation for Privilege Escalationhttps://attack.mitre.org/techniques/T1068/
  cited in 2026-05-15
• attack.mitre.orginlineT1505.003 Server Software Component: Web Shellhttps://attack.mitre.org/techniques/T1505/003/
  cited in 2026-06-16, 2026-05-15
• attack.mitre.orginlineT1071 Application Layer Protocolhttps://attack.mitre.org/techniques/T1071/
  cited in 2026-05-15
• attack.mitre.orginlineT1070.002 Indicator Removal: Clear Linux or Mac System Logshttps://attack.mitre.org/techniques/T1070/002/
  cited in 2026-05-15
• attack.mitre.orginlineT1496 Resource Hijackinghttps://attack.mitre.org/techniques/T1496/
  cited in 2026-05-15
• attack.mitre.orginlineT1021.001 Remote Services: Remote Desktop Protocolhttps://attack.mitre.org/techniques/T1021/001/
  cited in 2026-W19
• attack.mitre.orginlineT1047 Windows Management Instrumentationhttps://attack.mitre.org/techniques/T1047/
  cited in 2026-W19
• attack.mitre.orginlineT1059 Command and Scripting Interpreterhttps://attack.mitre.org/techniques/T1059/
  cited in 2026-06-16
• attack.mitre.orginlineT1078.004 Valid Accounts: Cloud Accountshttps://attack.mitre.org/techniques/T1078/004/
  cited in 2026-06-16
• attack.mitre.orginlineT1133 External Remote Serviceshttps://attack.mitre.org/techniques/T1133/
  cited in 2026-W19, 2026-05-10
• attack.mitre.orginlineT1486 Data Encrypted for Impacthttps://attack.mitre.org/techniques/T1486/
  cited in 2026-W19, 2026-05-10
• attack.mitre.orginlineT1567 Exfiltration Over Web Servicehttps://attack.mitre.org/techniques/T1567/
  cited in 2026-W19, 2026-05-10
• bankinfosecurity.cominlineBankInfoSecurity, 2026-05-11https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654
  cited in 2026-05-14
• bleepingcomputer.cominlineBleepingComputer, 2026-05-29https://www.bleepingcomputer.com/news/security/california-ag-sues-23andme-over-2023-breach-exposing-health-data/
  source profile · cited in 2026-05-31
• bleepingcomputer.cominlineBleepingComputer, 2026-06-15https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/
  source profile · cited in 2026-06-16
• bleepingcomputer.cominlineexploitation moved to reconnaissance stagehttps://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/
  source profile · cited in 2026-W26, 2026-06-24
• bleepingcomputer.cominlineBleepingComputer 2026-05-05https://www.bleepingcomputer.com/news/security/new-stealthy-quasar-linux-malware-targets-software-developers/
  source profile · cited in 2026-05-14
• blick.chinlineBlick.ch, 2026-05-07https://www.blick.ch/fr/suisse/romande/cyberattaque-le-groupe-romand-3r-de-radiologie-cible-id21930477.html
  cited in 2026-W19
• blog.checkpoint.cominlineCheck Point bloghttps://blog.checkpoint.com/research/when-the-ransomware-gang-gets-hacked-what-the-gentlemen-leak-reveals-about-modern-ransomware-risk
  cited in 2026-W20
• cisa.govinlineCISA ED-26-03https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
  source profile · cited in 2026-W20, 2026-05-15
• cloud.google.cominlineMandiant, 2026-06-05https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
  source profile · cited in 2026-06-06
• cloud.google.cominlinepublished the first complete TTP chainhttps://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
  source profile · cited in 2026-W26, 2026-06-27, 2026-06-26
• cnil.frinlineCNIL — €5M IQVIA finehttps://www.cnil.fr/en/health-data-fine-5-million-euros-against-iqvia
  source profile · cited in 2026-W22
• comparitech.cominlineComparitech Q1 2026 Healthcare, 2026-04-29https://www.comparitech.com/news/healthcare-ransomware-roundup-q1-2026-stats-on-attacks-ransoms-and-data-breaches/
  cited in 2026-W19
• cyber.gov.auinlineACSC hunt guide, 2026-02-25https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf
  cited in 2026-05-15
• cybermaxx.cominlineCyberMaxx Q1 2026https://www.cybermaxx.com/resources/ransomware-research-report-q1-2026-audio-blog-interview/
  cited in 2026-W19
• elastic.coinlineElastic Security Labs 2026-05-07https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
  source profile · cited in 2026-05-14
• github.cominlineGitHub `Bedrock-Safeguard/gentlemen-decryptor`https://github.com/Bedrock-Safeguard/gentlemen-decryptor
  source profile · cited in 2026-05-14
• groupe3r.chinlineGroupe 3R victim statement, 2026-04-30https://www.groupe3r.ch/fr/information-importante-perturbation-de-nos-services-7268/
  cited in 2026-W19
• helpnetsecurity.cominlineHelp Net Securityhttps://www.helpnetsecurity.com/2026/06/05/cisco-sd-wan-cve-2026-20245-0-day-exploited/
  source profile · cited in 2026-W23
• huntress.cominlineHuntresshttps://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
  source profile · cited in 2026-06-04
• ictjournal.chinlineICTjournal.ch, 2026-05-06https://www.ictjournal.ch/news/2026-05-06/le-reseau-radiologique-romand-a-nouveau-victime-dune-cyberattaque-ses-systemes
  cited in 2026-W19
• island.ioinlineIslandhttps://www.island.io/blog/badblocker-11-million-users-one-server-call-away-from-compromise
  cited in 2026-W26
• lumen.cominlineLumen Black Lotus Labs, 2026-06-10https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation
  cited in 2026-06-11
• microsoft.cominlineMicrosoft Security Blog 2026-05-04https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
  source profile · cited in 2026-05-14
• netcraft.cominlineNetcrafthttps://www.netcraft.com/blog/bluekit-phishing-as-a-service-threat
  source profile · cited in 2026-W26
• novee.securityinlineNovee Securityhttps://novee.security/blog/cordyceps/
  cited in 2026-W26
• nvd.nist.govinlineNVD CVSS 6.5https://nvd.nist.gov/vuln/detail/CVE-2026-20262
  cited in 2026-06-16
• oag.ca.govinlineCalifornia OAG, 2026-05-28https://oag.ca.gov/news/press-releases/attorney-general-bonta-sues-chrome-holding-co-formerly-known-23andme-over-2023
  cited in 2026-05-31
• oasis.securityinlineOasis Security 2026-05-07https://www.oasis.security/blog/cline-kanban-websocket-hijack
  cited in 2026-05-14
• pgadmin.orginlinepgAdminhttps://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html
  cited in 2026-06-19
• politie.nlinlinePolitiehttps://www.politie.nl/en/news/2026/juni/18/11-international-law-enforcement-initiate-hunt-on-malware-group-socgholish.html
  cited in 2026-06-19
• rapid7.cominlineRapid7, 2026-05-14https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/
  source profile · cited in 2026-05-15
• research.checkpoint.cominlineCheck Pointhttps://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
  source profile · cited in 2026-W22, 2026-W20, 2026-05-14
• sansec.ioinlineSansechttps://sansec.io/research/optinmonster-supply-chain-attack
  source profile · cited in 2026-06-16
• sec.cloudapps.cisco.cominlineCisco PSIRThttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
  source profile · cited in 2026-W21, 2026-05-22
• sec.cloudapps.cisco.cominlineCisco PSIRT advisory cisco-sa-cucm-ssrf-cXPnHcWhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
  source profile · cited in 2026-W26, 2026-06-24, 2026-06-04
• sec.cloudapps.cisco.cominlineCisco PSIRThttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-G5WP8vv
  source profile · cited in 2026-W25, 2026-06-19
• sec.cloudapps.cisco.cominlineCisco PSIRThttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
  source profile · cited in 2026-W25, 2026-06-16
• sec.cloudapps.cisco.cominlineCisco PSIRThttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
  source profile · cited in 2026-W26, 2026-W23, 2026-06-26, 2026-06-06
• sec.cloudapps.cisco.cominlineCisco PSIRThttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
  source profile · cited in 2026-W20, 2026-05-15
• sec.cloudapps.cisco.cominlineCisco PSIRThttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy
  source profile · cited in 2026-W19, 2026-05-10
• security-hub.ncsc.admin.chinlineposted on ithttps://security-hub.ncsc.admin.ch/#/posts/12579
  source profile · cited in 2026-W26, 2026-W23, 2026-06-27, 2026-06-06
• security-hub.ncsc.admin.chinlineNCSC-CH Security Hub, 2026-05-21https://security-hub.ncsc.admin.ch/#/posts/12588
  source profile · cited in 2026-05-22
• securityweek.cominlineSecurityWeek, 2026-05-15https://www.securityweek.com/cisco-patches-another-sd-wan-zero-day-the-sixth-exploited-in-2026/
  source profile · cited in 2026-05-15
• securityweek.cominlineSecurityWeek, 2026-06-18https://www.securityweek.com/critical-command-execution-vulnerability-patched-in-cisco-ise/
  source profile · cited in 2026-06-19
• sentinelone.cominlineSentinelLABShttps://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
  source profile · cited in 2026-06-26
• sygnia.coinlineSygnia — Velvet Ant prior reportinghttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/
  source profile · cited in 2026-06-13
• thehackernews.cominlineThe Hacker News, 2026-05-05https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html
  cited in 2026-05-06
• thehackernews.cominlineThe Hacker News 2026-05-04https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
  cited in 2026-05-14
• thehackernews.cominlineThe Hacker News, 2026-06-10https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html
  cited in 2026-06-11
• thehackernews.cominlineThe Hacker News, 2026-06-26https://thehackernews.com/2026/06/chinese-speaking-apt-deploys-new.html
  cited in 2026-06-28
• therecord.mediainlineRecorded Future News, 2026-05-19https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage
  source profile · cited in 2026-05-20
• theregister.cominlineThe Register, 2026-05-29https://www.theregister.com/legal/2026/05/29/rob-bonta-sues-23andmes-new-owners-over-2023-breach/5248565
  cited in 2026-05-31
• theregister.cominlineThe Registerhttps://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916
  cited in 2026-W25, 2026-06-16
• theregister.cominlineThe Registerhttps://www.theregister.com/security/2026/05/21/cisco-serves-up-yet-another-perfect-10-bug-with-secure-workload-admin-flaw/5244012
  cited in 2026-W21, 2026-05-22
• unit42.paloaltonetworks.cominlineUnit 42, 2026-06-25https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
  source profile · cited in 2026-06-28
• unit42.paloaltonetworks.cominlineUnit 42https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
  source profile · cited in 2026-W26
• upguard.cominlineUpGuardhttps://www.upguard.com/news/world-food-programme-data-breach-2026-06-02
  cited in 2026-06-04
• wid.cert-bund.deinlineBSI CERT-Bund WID-SEC-2026-1989https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1989
  source profile · cited in 2026-W25, 2026-06-19