Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)

Tenable RSO reports multiple critical authentication-bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager (notably CVE-2026-20182 and CVE-2026-20127) are being actively exploited in the wild by a sophisticated actor designated UAT-8616 and by at least ten other clusters following public proof-of-concept releases; successful exploitation yields administrative NETCONF access and can be escalated to root leading to network-wide configuration control. Observed post-compromise activity includes SSH key injection, NETCONF manipulation, malicious account creation, log clearing, and use of webshells, red-team frameworks and miners; Cisco has released patches and CISA issued Emergency Directive 26-03 with mandated remediation. Tenable and Cisco published IoCs and guidance to detect, hunt, and harden affected devices.