ACCORDING to The Hacker News, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed vulnerability affecting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to remediate by 17 May 2026.
The flaw, tracked as CVE-2026-20182, is rated 10.0 on the CVSS scale, indicating maximum severity, and CISA stated that it is an authentication bypass that allows an unauthenticated remote attacker to obtain administrative privileges on an affected system.
Cisco, in a separate advisory, attributed active exploitation of CVE-2026-20182 with high confidence to UAT-8616, the same cluster behind the weaponisation of CVE-2026-20127, and noted that UAT-8616 performed post‑exploitation actions such as adding SSH keys, modifying NETCONF configurations, and escalating to root privileges.
The analysis also noted that the infrastructure used by UAT-8616 overlaps with ORB networks, and that multiple threat clusters have been observed exploiting several connected CVEs beginning in March 2026. When chained, the three vulnerabilities can allow a remote unauthenticated attacker to gain access to the device, and they were added to KEV previously.