The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed vulnerability affecting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog on Thursday. Federal Civilian Executive Branch (FCEB) agencies are required to remediate the flaw by May 17, 2026. The issue is a critical authentication bypass vulnerability tracked as CVE-2026-93. The vulnerability scores a perfect 10.0 on the CVSS scale, signifying the highest possible severity. „Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,“ CISA said.
In a separate advisory, Cisco stated with high confidence that UAT-8616—the same threat cluster responsible for weaponizing CVE-2026-20127—is actively exploiting CVE-2026-20182. „UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,“ Cisco Talos said. UAT-8616 tried to add SSH keys, alter NETCONF settings, and gain root-level access. It is assessed that the infrastructure leveraged by UAT-8616 for exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks. The cybersecurity firm also observed multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 starting in March 2026. When chained together, these three vulnerabilities enable a remote unauthenticated attacker to gain unauthorized access to the device. They were added to the CISA KEV catalog last month. The attacks have been observed using publicly available proof-of-concept exploit code to install web shells on compromised systems, enabling the threat actors to execute arbitrary bash commands. One JSP-based web shell, known as XenShell, has been identified due to its reliance on a proof-of-concept (PoC) published by ZeroZenX Labs. A minimum of 10 distinct clusters have been associated with the exploitation of these three vulnerabilities. Cluster 1 (active since at least March 6, 2026) deploys the Godzilla web shell. Cluster 28 (active since at least March 2010, 2026) that deploys the Behinder web shell.
The Hacker News