ctipilot.ch

Home · Live brief · Daily brief 2026-05-15

Cisco Catalyst SD-WAN: CVE-2026-20182 Authentication Bypass and UAT-8616 Kill Chain

notable vulnerability discovered 2026-05-15 05:00 UTC deep dive

Entities: UAT-8616

Part of run 2026-05-15-58b94fbd (intel · Claude Sonnet 4.6)

Background. Cisco SD-WAN has been a sustained exploitation target since 2023. Cisco and CISA have published five previous SD-WAN vulnerability advisories with confirmed in-the-wild exploitation this year alone; the February 2026 joint advisory from ACSC, NCSC-UK, and Cisco Talos documented UAT-8616's earlier exploitation of CVE-2026-20127 (pre-auth RCE in SD-WAN Manager) and the post-compromise version-downgrade technique to exploit CVE-2022-20775 for privilege escalation (Talos UAT-8616 blog, 2026-02-25 · ACSC hunt guide, 2026-02-25). CVE-2026-20182 is that actor's sixth exploited Cisco SD-WAN vulnerability in the ongoing campaign, now joined by opportunistic clusters using publicly-available exploit code.

Vulnerability mechanics. The Cisco Catalyst SD-WAN Controller (formerly vSmart) exposes a DTLS-based control-plane peering service on UDP/12346 through the vdaemon process. During the DTLS handshake, a connecting device presents a certificate and claims a device type in the CHALLENGE_ACK message. The vbond_proc_challenge_ack() function checks whether the device type is VBOND (0) or VEDGE (1) before requiring certificate validation, but entirely omits the check for device type VHUB (2): if the connecting peer claims to be a vHub, the function immediately sets peer->authenticated = true and transitions the peering state to UP. An attacker with no credentials sends a DTLS ClientHello using a self-signed certificate — no PKI trust required — claims type 2 in the CHALLENGE_ACK, and becomes an authenticated peer in the SD-WAN fabric's eyes. The Rapid7 Metasploit module demonstrates the complete chain: authenticate as a spoofed vHub, send MSG_VMANAGE_TO_PEER (type 14) containing an SSH public-key blob targeting the vmanage-admin account's authorized_keys, then SSH into the NETCONF service on TCP/830 to execute arbitrary commands (Rapid7, 2026-05-14). From there the attacker has read/write access to all SD-WAN fabric configuration, policy, routing templates, and device credentials.

Kill chain (UAT-8616 post-exploitation TTPs). Post-authentication, UAT-8616 follows a structured kill chain mapped to MITRE ATT&CK:

  1. T1190 Exploit Public-Facing Application — DTLS CHALLENGE_ACK bypass on UDP/12346 grants authenticated peer status.
  2. T1098.004 Account Manipulation: SSH Authorized Keys — SSH public key injected into vmanage-admin's authorized_keys via MSG_VMANAGE_TO_PEER.
  3. T1021.004 Remote Services: SSH — SSH into NETCONF interface (TCP/830) using the injected key; arbitrary command execution under vmanage-admin.
  4. T1562.001 Impair Defenses: Disable or Modify Tools — software version downgrade to re-expose CVE-2022-20775 (local privilege escalation), then version restoration to remove the downgrade artefact from logs.
  5. T1068 Exploitation for Privilege Escalation — CVE-2022-20775 exploited to obtain root from the vmanage-admin account.
  6. T1505.003 Server Software Component: Web Shell — Godzilla, Behinder, and XenShell webshells deployed for persistent access. Godzilla uses AES-128-CBC encrypted HTTP channels; Behinder ("冰蝎") uses dynamic key exchange; XenShell is a lightweight Python-based variant targeting Linux.
  7. T1071 Application Layer Protocol — AdaptixC2, Sliver, and Nimplant C2 implants beaconing over HTTPS; ORB-network-hosted relay infrastructure.
  8. T1070.002 Indicator Removal: Clear Linux or Mac System Logssyslog, wtmp, and lastlog wiped to remove authentication and session artefacts.
  9. T1496 Resource Hijacking — XMRig cryptocurrency miner deployed on compromised Controllers.

The 10+ additional clusters (#1–#10 in Talos's taxonomy) are exploiting the companion February 2026 CVEs (CVE-2026-20133/128/122) on the same infrastructure since March 2026; they skip the version-downgrade chain and focus on webshell persistence and cryptomining.

Hunt and detection concepts. All of the following are Observable in SD-WAN Manager and Controller logs:

  • SSH key injection: monitor for new entries in /home/vmanage-admin/.ssh/authorized_keys; alert on any file modification events in that path (Linux auditd rule for WRITE on the path, or EDR file-write telemetry on the Controller VM).
  • NETCONF anomaly: monitor NETCONF sessions (TCP/830) originating from Controller processes for unexpected source IPs — legitimate NETCONF clients are managed devices, not arbitrary IPs; any session from an unrecognised IP range is suspicious.
  • Control-connection anomaly: show sdwan control connections on the Manager; alert on any active connection whose peer IP is not in the expected device inventory. SD-WAN Controller-to-Controller peering shows as VHUB-type — flag unexpected vHub entries.
  • Version downgrade: SD-WAN Manager audit logs record software install and uninstall events; a downgrade → upgrade cycle on the same device within hours without a change-management record is a clear UAT-8616 indicator.
  • Webshell deployment: Godzilla/Behinder webshells typically reside in Tomcat application directories on vManage; look for newly created .jsp / .jspx / .py files in ${CATALINA_HOME}/webapps/ and related directories.
  • Snort IDS signatures: 66482–66483 detect CVE-2026-20182 exploitation attempts; 66468–66469 detect CVE-2026-20133; 66461–66462 detect CVE-2026-20122.

Hardening and mitigation. There is no software workaround for CVE-2026-20182 — the authentication-bypass function is in the control-plane peering path that cannot be disabled without breaking SD-WAN functionality. Network-level mitigation: restrict access to UDP/12346 to known legitimate Controller and Edge IPs using ACLs or security groups; this does not eliminate risk from compromised WAN-side devices but raises the exploitation bar. Immediate action is upgrade: apply the Cisco-designated fixed releases (20.9.9.1, 20.12.7.1, 20.15.5.2, 20.18.2.2, or 26.1.1.1 per your active release train). Cisco's SD-WAN Hardening Guide is referenced at sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide.

“Background.” — ctipilot v2 brief (migrated)

actively-exploited pre-auth rce nation-state cisa-kev global CVE-2026-20182