Cisco patches another actively exploited SD-WAN zero-day (CVE-2026-20182)

A zero‑day authentication bypass (CVE-2026-20182) in Cisco Catalyst SD-WAN Controller/Manager has been observed exploited in the wild by a sophisticated actor dubbed UAT-8616; the flaw lets unauthenticated attackers become an authenticated DTLS peer, inject an SSH key into the vmanage-admin account, and then access NETCONF to reconfigure the SD‑WAN. Cisco has released fixes, urged customers to upgrade and review logs (look for "Accepted publickey for vmanage-admin" from unknown IPs), and researchers (Rapid7, Cisco Talos) have published related analysis and IOCs, noting additional related CVEs and webshells like "XenShell."