ctipilot.ch

UAT-8616

actor · actor:uat-8616

UAT-8616 — Sophisticated actor exploiting Cisco SD-WAN infrastructure since 2023

Coverage timeline
5
first 2026-05-11 → last 2026-06-16
Entries
5
3 distinct days
Sources cited
26
14 hosts
Sections touched
4
active-threats, deep-dive, trending-vulnerabilities
Co-occurring entities
4
see Related entities below
2026-05-115 appearances2026-06-16

Story timeline

  1. 2026-06-16Cisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE
    deep-diveCisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE
  2. 2026-05-15UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued
    active-threatsUAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued
  3. 2026-05-15CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public
    trending-vulnerabilitiesCVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public
  4. 2026-05-15Cisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain
    deep-diveCisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain
  5. 2026-05-11Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters
    weekly-top-storiesCisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters

Where this entity is cited

  • deep-dive2
  • weekly-top-stories1
  • trending-vulnerabilities1
  • active-threats1

Source distribution

  • attack.mitre.org11 (42%)
  • blog.talosintelligence.com2 (8%)
  • sec.cloudapps.cisco.com2 (8%)
  • bleepingcomputer.com1 (4%)
  • blog.packagist.com1 (4%)
  • cisa.gov1 (4%)
  • cyber.gov.au1 (4%)
  • depthfirst.com1 (4%)
  • other6 (23%)

Related entities

All cited sources (26)

Entries about UAT-8616 (5)

2026-06-16 · view entry permalink →

Cisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE

notable vulnerability discovered 2026-06-16 05:09 UTC deep dive

Vulnerable component. The flaw lives in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), the centralised controller/management plane that pushes policy and configuration to every WAN-edge router in an SD-WAN fabric. The file-upload path in the management UI does not validate the user-supplied filename, so an authenticated request can traverse out of the intended directory and create or overwrite an arbitrary file on the appliance OS (NVD, CVSS 6.5; Cisco PSIRT, 2026-06-15). The vulnerability affects on-premises, Cloud-hosted and FedRAMP deployment models. The 6.5 base score reflects the authentication requirement (a low-privilege/single-task account), but the consequence — arbitrary write into a path the application server reads — is what makes it a root-RCE primitive rather than a simple integrity bug.

Exploitation chain. Reporting describes the practical path as: (1) Initial access with valid low-privilege SD-WAN Manager credentials — obtained through prior phishing, credential reuse, or chaining an earlier auth-affecting SD-WAN bug (T1078.004 Valid Accounts: Cloud Accounts); (2) Execution by abusing the upload endpoint to write a .jsp/.war artefact into the Tomcat deployment directory, turning the file-write into a web shell (T1190 Exploit Public-Facing Application for the upload primitive, T1505.003 Server Software Component: Web Shell for the planted shell); (3) Privilege escalation / impact because the SD-WAN Manager application services run with high privilege, the web shell yields root-equivalent control of the management plane (T1059 Command and Scripting Interpreter). Control of SD-WAN Manager is control of every managed edge device's configuration — a single-pivot path to the entire WAN. Cisco Talos tracks a highly capable cluster it designates UAT-8616 behind a 2026 wave of Cisco Catalyst SD-WAN exploitation (notably CVE-2026-20127, with software-downgrade post-compromise tradecraft) (Cisco Talos, 2026); whether or not that cluster is behind CVE-2026-20262 specifically, the pattern means defenders should treat any SD-WAN Manager as a high-value target even where they believe an earlier intrusion was contained.

Affected and patched versions. Cisco has released fixed trains 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1 and 26.1.1.2; consult the PSIRT advisory for the exact mapping of your running train to its fixed build (Cisco PSIRT, 2026-06-15). CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog on 2026-06-15, confirming exploitation in the wild (BleepingComputer, 2026-06-15).

Hunt and detection concepts. Because exploitation is authenticated and post-foothold, the highest-value telemetry is on the appliance itself, not the perimeter. Review the SD-WAN Manager appserver and service-proxy logs for HTTP uploads referencing index.jsp, *.jsp or *.war filenames or path-traversal sequences, and for newly written files in the Tomcat webapps/deploy directories that do not correspond to a vendor update. Correlate file-write events with the authenticating account — single-task/low-privilege accounts performing uploads are anomalous. Watch for unexpected outbound connections from the SD-WAN Manager host (a web shell beaconing) and for new processes spawned by the application-server user. Because the attacker needs valid credentials first, surface authentication anomalies for management-plane accounts: logins from new source ranges, off-hours admin activity, and use of service/automation accounts interactively. No IOCs are reproduced here — hunt on the behaviour.

Hardening / mitigation. Patch to the fixed train as the only durable fix. Until patched: restrict management-plane reachability so SD-WAN Manager's web UI is never internet-exposed and is reachable only from a hardened management network or jump host; enforce MFA on all SD-WAN Manager accounts and prune low-privilege/single-task accounts that retain upload capability; rotate credentials for any account that could authenticate during the exposure window; and validate the integrity of the Tomcat deploy directory against a known-good baseline before returning a controller to service. Given the management plane's blast radius across the WAN fabric, treat a suspected compromise of SD-WAN Manager as a fabric-wide event and review pushed configurations for tampering.

“Vulnerable component.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce path-traversal cisa-kev global CVE-2026-20262

2026-05-15 · view entry permalink →

Cisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain

notable vulnerability discovered 2026-05-15 05:00 UTC deep dive

Background. Cisco SD-WAN has been a sustained exploitation target since 2023. Cisco and CISA have published five previous SD-WAN vulnerability advisories with confirmed in-the-wild exploitation this year alone; the February 2026 joint advisory from ACSC, NCSC-UK, and Cisco Talos documented UAT-8616's earlier exploitation of CVE-2026-20127 (pre-auth RCE in SD-WAN Manager) and the post-compromise version-downgrade technique to exploit CVE-2022-20775 for privilege escalation (Talos UAT-8616 blog, 2026-02-25 · ACSC hunt guide, 2026-02-25). CVE-2026-20182 is that actor's sixth exploited Cisco SD-WAN vulnerability in the ongoing campaign, now joined by opportunistic clusters using publicly-available exploit code.

Vulnerability mechanics. The Cisco Catalyst SD-WAN Controller (formerly vSmart) exposes a DTLS-based control-plane peering service on UDP/12346 through the vdaemon process. During the DTLS handshake, a connecting device presents a certificate and claims a device type in the CHALLENGE_ACK message. The vbond_proc_challenge_ack() function checks whether the device type is VBOND (0) or VEDGE (1) before requiring certificate validation, but entirely omits the check for device type VHUB (2): if the connecting peer claims to be a vHub, the function immediately sets peer->authenticated = true and transitions the peering state to UP. An attacker with no credentials sends a DTLS ClientHello using a self-signed certificate — no PKI trust required — claims type 2 in the CHALLENGE_ACK, and becomes an authenticated peer in the SD-WAN fabric's eyes. The Rapid7 Metasploit module demonstrates the complete chain: authenticate as a spoofed vHub, send MSG_VMANAGE_TO_PEER (type 14) containing an SSH public-key blob targeting the vmanage-admin account's authorized_keys, then SSH into the NETCONF service on TCP/830 to execute arbitrary commands (Rapid7, 2026-05-14). From there the attacker has read/write access to all SD-WAN fabric configuration, policy, routing templates, and device credentials.

Kill chain (UAT-8616 post-exploitation TTPs). Post-authentication, UAT-8616 follows a structured kill chain mapped to MITRE ATT&CK:

  1. T1190 Exploit Public-Facing Application — DTLS CHALLENGE_ACK bypass on UDP/12346 grants authenticated peer status.
  2. T1098.004 Account Manipulation: SSH Authorized Keys — SSH public key injected into vmanage-admin's authorized_keys via MSG_VMANAGE_TO_PEER.
  3. T1021.004 Remote Services: SSH — SSH into NETCONF interface (TCP/830) using the injected key; arbitrary command execution under vmanage-admin.
  4. T1562.001 Impair Defenses: Disable or Modify Tools — software version downgrade to re-expose CVE-2022-20775 (local privilege escalation), then version restoration to remove the downgrade artefact from logs.
  5. T1068 Exploitation for Privilege Escalation — CVE-2022-20775 exploited to obtain root from the vmanage-admin account.
  6. T1505.003 Server Software Component: Web Shell — Godzilla, Behinder, and XenShell webshells deployed for persistent access. Godzilla uses AES-128-CBC encrypted HTTP channels; Behinder ("冰蝎") uses dynamic key exchange; XenShell is a lightweight Python-based variant targeting Linux.
  7. T1071 Application Layer Protocol — AdaptixC2, Sliver, and Nimplant C2 implants beaconing over HTTPS; ORB-network-hosted relay infrastructure.
  8. T1070.002 Indicator Removal: Clear Linux or Mac System Logssyslog, wtmp, and lastlog wiped to remove authentication and session artefacts.
  9. T1496 Resource Hijacking — XMRig cryptocurrency miner deployed on compromised Controllers.

The 10+ additional clusters (#1–#10 in Talos's taxonomy) are exploiting the companion February 2026 CVEs (CVE-2026-20133/128/122) on the same infrastructure since March 2026; they skip the version-downgrade chain and focus on webshell persistence and cryptomining.

Hunt and detection concepts. All of the following are Observable in SD-WAN Manager and Controller logs:

  • SSH key injection: monitor for new entries in /home/vmanage-admin/.ssh/authorized_keys; alert on any file modification events in that path (Linux auditd rule for WRITE on the path, or EDR file-write telemetry on the Controller VM).
  • NETCONF anomaly: monitor NETCONF sessions (TCP/830) originating from Controller processes for unexpected source IPs — legitimate NETCONF clients are managed devices, not arbitrary IPs; any session from an unrecognised IP range is suspicious.
  • Control-connection anomaly: show sdwan control connections on the Manager; alert on any active connection whose peer IP is not in the expected device inventory. SD-WAN Controller-to-Controller peering shows as VHUB-type — flag unexpected vHub entries.
  • Version downgrade: SD-WAN Manager audit logs record software install and uninstall events; a downgrade → upgrade cycle on the same device within hours without a change-management record is a clear UAT-8616 indicator.
  • Webshell deployment: Godzilla/Behinder webshells typically reside in Tomcat application directories on vManage; look for newly created .jsp / .jspx / .py files in ${CATALINA_HOME}/webapps/ and related directories.
  • Snort IDS signatures: 66482–66483 detect CVE-2026-20182 exploitation attempts; 66468–66469 detect CVE-2026-20133; 66461–66462 detect CVE-2026-20122.

Hardening and mitigation. There is no software workaround for CVE-2026-20182 — the authentication-bypass function is in the control-plane peering path that cannot be disabled without breaking SD-WAN functionality. Network-level mitigation: restrict access to UDP/12346 to known legitimate Controller and Edge IPs using ACLs or security groups; this does not eliminate risk from compromised WAN-side devices but raises the exploitation bar. Immediate action is upgrade: apply the Cisco-designated fixed releases (20.9.9.1, 20.12.7.1, 20.15.5.2, 20.18.2.2, or 26.1.1.1 per your active release train). Cisco's SD-WAN Hardening Guide is referenced at sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide.

“Background.” — ctipilot v2 brief (migrated)

actively-exploited pre-auth rce nation-state cisa-kev global CVE-2026-20182

2026-05-15 · view entry permalink →

CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public

notable vulnerability discovered 2026-05-15 05:00 UTC

CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-20182 Cisco Catalyst SD-WAN Controller / Manager 10.0 (v3.1) n/a Yes (2026-05-14) Yes — UAT-8616 + 10+ clusters 20.9.9.1 / 20.12.7.1 / 20.15.5.2 Cisco PSIRT
CVE-2026-42945 NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller, Gateway Fabric, F5 WAF/App Protect 9.2 (v4.0) / 8.1 (v3.1) n/a No No (PoC public) NGINX OS 1.30.1 / Plus R36 P4 depthfirst / NCSC-CH
CVE-2026-46300 Linux kernel xfrm ESP-in-TCP subsystem ("Fragnesia") — LPE, local only n/a n/a No No (PoC public) Distro kernel updates (2026-05-13+) Wiz Research
CVE-2026-45793 PHP Composer (1.x, 2.x) — GitHub Actions token disclosure in error output n/a n/a No No Composer 2.9.8 / 2.2.28 / 1.10.28 Packagist blog
vulnerabilities lpe poc-public patch-available global CVE-2026-46300

2026-05-15 · view entry permalink →

UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued

notable threat discovered 2026-05-15 05:00 UTC

Cisco Talos published an updated exploitation bulletin on 2026-05-14 documenting active, in-the-wild exploitation of CVE-2026-20182 — a complete pre-authentication bypass in the Cisco Catalyst SD-WAN Controller — by UAT-8616, a highly sophisticated actor assessed to have operated against Cisco SD-WAN infrastructure since at least 2023 with ORB-network-hosted tooling (Cisco Talos, 2026-05-14). Separately, at least 10 additional less-sophisticated threat clusters (Cluster #1 through #10 in Talos's taxonomy) have been exploiting the companion February 2026 CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) since March 2026 (Rapid7, 2026-05-14). Post-exploitation activity includes deployment of Godzilla, Behinder, and XenShell webshells; AdaptixC2, Sliver, and Nimplant C2 frameworks; XMRig cryptomining; and log-wiping to remove syslog, wtmp, and lastlog artefacts. UAT-8616 additionally performs a targeted version-downgrade to re-expose CVE-2022-20775 (local privilege escalation to root), then restores the original version to erase the downgrade trace. CISA issued Emergency Directive ED-26-03 on 2026-05-14 designating this the sixth Cisco SD-WAN CVE exploited in 2026; companion CVEs CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 were being exploited by multiple clusters since March 2026. Snort detection signatures: 66482–66483 (CVE-2026-20182), 66468–66469 (CVE-2026-20133), 66461–66462 (CVE-2026-20122). Hunt: look for unexpected NETCONF sessions on TCP/830 from Controller processes; additions to /home/vmanage-admin/.ssh/authorized_keys; out-of-sequence software downgrade/upgrade log events in vManage; and peer registrations from unknown ASNs in show sdwan control connections.

actively-exploited pre-auth rce nation-state cisa-kev global

2026-05-11 · view entry permalink →

Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters

high synthesis discovered 2026-05-11 05:00 UTC

If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass in the NETCONF gateway. The published kill chain is HTTP-header injection → authentication bypass → vManage administrative API → orchestrator-level configuration push → arbitrary device-config rewrite across every fabric member. Patches are available (vManage 20.13.4 / 20.12.6 / 20.9.7 / earlier branches per Cisco PSIRT); CISA issued Emergency Directive ED-26-03 on 2026-05-15 mandating identification, mitigation, and reporting for US federal civilian agencies with a 2026-05-17 (today) deadline (Cisco PSIRT; CISA ED-26-03; daily 2026-05-15).

What makes the SD-WAN picture operationally critical for Swiss / EU defenders even after the patches land is the approximately 10 additional intrusion clusters Talos and CISA jointly identified exploiting February-2026 Catalyst SD-WAN companion CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 — patched in Q1 2026 but with public-PoC availability that drove a wave of secondary exploitation against organisations that lagged the original patch). The 10-cluster figure indicates the SD-WAN attack surface is being mined systematically by multiple unrelated operators, not just UAT-8616, so the hunt is not bounded to a single named cluster's TTPs: review vmanage_event and NETCONF-gateway logs for any 401/403→200 transitions on /dataservice/* endpoints from external source IPs across the entire Q1-2026 → present window, and assume any unpatched device has been visited.

“If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth auth-bypass cisa-kev patch-available global CVE-2026-20182