Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos reports active exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities: CVE‑2026‑20182 is being exploited in the wild by a sophisticated actor tracked as UAT‑8616 for authentication bypass and privilege gain, while separate clusters exploited CVE‑2026‑20133/20128/20122 to deploy JSP webshells (XenShell, Godzilla, Behinder), backdoors (AdaptixC2, Sliver, Nim-based implants), XMRig miners, credential stealers, and other tooling; the report enumerates ten intrusion clusters, dozens of IOCs (IPs, hashes, C2s), and provides patching and detection recommendations.