Cisco Talos — demo.pdb BadIIS commodity MaaS ISAPI backdoor; lwxat developer alias; builder tool recovered; UAT-8099 / DragonRank link; 1,800+ IIS servers compromised globally

Cisco Talos published on 2026-05-19 the first MaaS-ecosystem analysis of a BadIIS variant identifiable by embedded demo.pdb path strings in the ISAPI DLL binary. PDB-metadata correlation traces development to a single developer alias "lwxat" active from at least September 2021 through January 2026, with iterative updates and Norton-AV-specific evasion features. Talos recovered a dedicated builder tool that lets operators generate configuration files and inject parameters into BadIIS ISAPI DLL payloads — traffic redirection to illicit sites, search-engine-crawler proxying, content hijacking, and back-link injection for SEO-fraud monetisation. The ISAPI DLL hooks into the Windows IIS request pipeline by registering as an ISAPI filter or extension (loaded from applicationHost.config or per-site web.config), intercepting HTTP requests to hosted sites and selectively modifying responses — serving different content to crawler vs. human browsers or proxying requests to attacker-controlled infrastructure. Talos describes the geographic distribution as primarily the Asia-Pacific region with a smaller number of compromised servers in South Africa, Europe, and North America; the activity overlaps with the broader DragonRank SEO-poisoning ecosystem Talos previously documented under the actor cluster UAT-8099. BadIIS itself is not a vulnerability — it requires a prior IIS-server compromise (web-shell, vulnerable CMS plugin) to plant the DLL. Detection concepts: enumerate applicationHost.config and each site's web.config for unexpected <isapiFilters> / <httpModules> entries; alert on IIS worker (w3wp.exe) loading DLLs from non-standard paths (Sysmon EID 7); monitor IIS response-body sizes for anomalies on content that should be static; alert on w3wp.exe initiating outbound HTTP to non-allow-listed destinations. Relevance for Swiss / EU public-sector defenders is secondary (regional focus is APAC), but the IIS-pipeline hijack pattern is jurisdiction-agnostic — any organisation with IIS-fronted CMS deployments should run the configuration-enumeration sweep.

If you did nothing this week: Internet-exposed SD-WAN Manager instances without the patched build applied are high-value initial-access targets. The pre-auth authentication bypass in Cisco Catalyst SD-WAN Manager and Controller (CVSS 10.0) is under active exploitation. CISA has added CVE-2026-20182 to the Known Exploited Vulnerabilities catalogue.

The vulnerability arises from improper validation of API request parameters, allowing an unauthenticated remote attacker to bypass authentication and execute administrative functions, including creating admin-level accounts and modifying device configuration. Talos confirmed exploitation in the wild in its 2026-05-14 advisory, documenting a cluster tracked as UAT-8616 among others. Talos documents 10 exploitation clusters targeting older CVE-2026-20133 / CVE-2026-20128 / CVE-2026-20122 vulnerabilities in the same product line — active exploitation of CVE-2026-20182 specifically is confirmed by Cisco PSIRT. Patched builds per Cisco PSIRT: 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1; older releases require upgrade.

The pre-auth bypass in Cisco Catalyst SD-WAN Manager and Controller (CVSS 10.0) — including exploitation by a cluster Talos tracks as UAT-8616 — allows administrative account creation and device-configuration modification without authentication. CISA KEV-listed. Patched builds per Cisco PSIRT (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1) must be applied immediately; older releases require upgrade. Swiss and EU operators should treat this at Kritisch/Critical urgency based on active exploitation rate.

If you did nothing this week: any Catalyst SD-WAN Manager or Controller with an internet-reachable management plane has been within UAT-8616's active exploitation window per Cisco Talos's 2026-05-14 timeline — with full fabric-takeover capability via a pre-authentication HTTP-header parsing bypass in the NETCONF gateway. The published kill chain is HTTP-header injection → authentication bypass → vManage administrative API → orchestrator-level configuration push → arbitrary device-config rewrite across every fabric member. Patches are available (vManage 20.13.4 / 20.12.6 / 20.9.7 / earlier branches per Cisco PSIRT); CISA issued Emergency Directive ED-26-03 on 2026-05-15 mandating identification, mitigation, and reporting for US federal civilian agencies with a 2026-05-17 (today) deadline (Cisco PSIRT; CISA ED-26-03; daily 2026-05-15).

What makes the SD-WAN picture operationally critical for Swiss / EU defenders even after the patches land is the approximately 10 additional intrusion clusters Talos and CISA jointly identified exploiting February-2026 Catalyst SD-WAN companion CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 — patched in Q1 2026 but with public-PoC availability that drove a wave of secondary exploitation against organisations that lagged the original patch). The 10-cluster figure indicates the SD-WAN attack surface is being mined systematically by multiple unrelated operators, not just UAT-8616, so the hunt is not bounded to a single named cluster's TTPs: review vmanage_event and NETCONF-gateway logs for any 401/403→200 transitions on /dataservice/* endpoints from external source IPs across the entire Q1-2026 → present window, and assume any unpatched device has been visited.

Issued 2026-05-15 mandating identification, mitigation, and reporting on CVE-2026-20182 for US federal civilian agencies with a 2026-05-17 (today) deadline. For Swiss / EU public-sector defenders the US-FCEB compliance date itself is not operational signal (per the inherited PD-13) but the issuance of an Emergency Directive is. Use the ED's mitigation matrix as a reference for your own SD-WAN response posture (CISA ED-26-03; Daily 2026-05-15).

Cisco Talos published an updated exploitation bulletin on 2026-05-14 documenting active, in-the-wild exploitation of CVE-2026-20182 — a complete pre-authentication bypass in the Cisco Catalyst SD-WAN Controller — by UAT-8616, a highly sophisticated actor assessed to have operated against Cisco SD-WAN infrastructure since at least 2023 with ORB-network-hosted tooling (Cisco Talos, 2026-05-14). Separately, at least 10 additional less-sophisticated threat clusters (Cluster #1 through #10 in Talos's taxonomy) have been exploiting the companion February 2026 CVEs (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) since March 2026 (Rapid7, 2026-05-14). Post-exploitation activity includes deployment of Godzilla, Behinder, and XenShell webshells; AdaptixC2, Sliver, and Nimplant C2 frameworks; XMRig cryptomining; and log-wiping to remove syslog, wtmp, and lastlog artefacts. UAT-8616 additionally performs a targeted version-downgrade to re-expose CVE-2022-20775 (local privilege escalation to root), then restores the original version to erase the downgrade trace. CISA issued Emergency Directive ED-26-03 on 2026-05-14 designating this the sixth Cisco SD-WAN CVE exploited in 2026; companion CVEs CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 were being exploited by multiple clusters since March 2026. Snort detection signatures: 66482–66483 (CVE-2026-20182), 66468–66469 (CVE-2026-20133), 66461–66462 (CVE-2026-20122). Hunt: look for unexpected NETCONF sessions on TCP/830 from Controller processes; additions to /home/vmanage-admin/.ssh/authorized_keys; out-of-sequence software downgrade/upgrade log events in vManage; and peer registrations from unknown ASNs in show sdwan control connections.

CVE-2026-20182 (CVSS 10.0, CWE-287) is a complete authentication bypass in the vdaemon service's DTLS control-plane peering on UDP/12346 (Cisco PSIRT cisco-sa-sdwan-rpa2-v69WY2SW, 2026-05-14 · Rapid7, 2026-05-14). The vbond_proc_challenge_ack() function processes CHALLENGE_ACK messages without checking the claimed device type: a connecting device claiming type 2 (vHub) using a self-signed certificate is unconditionally marked as authenticated. The attacker then sends MSG_VMANAGE_TO_PEER (message type 14) to inject an SSH public key into /home/vmanage-admin/.ssh/authorized_keys, achieving persistent SSH access to the SD-WAN Manager on NETCONF port TCP/830. From there, the attacker has full control of SD-WAN fabric configuration, routing policy, and can read or modify all managed-site configurations. Added to CISA KEV on 2026-05-14 with active exploitation confirmed. No workaround exists; network segmentation of the UDP/12346 interface is the only partial mitigation where upgrading is not immediately possible. Fixed: 20.9.9.1, 20.12.5.4/6.2/7.1, 20.15.4.4/5.2, 20.18.2.2, 26.1.1.1.