{“lastseen”:”2026-05-14T18:05:08″,”description”:”* Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.\\n * Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.\\n * The exploitation of CVE-2026-20182 appears to have been limited so far and Talos clusters this activity under UAT-8616 with high confidence.\\n * Talos is also aware of a series of threat actors, distinct from UAT-8616, that have been observed to be exploiting a different, previously disclosed set of vulnerabilities, in a new way than previously identified, beginning March 2026 – specifically CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122. It is important to note that those vulnerabilities are distinct from and pre-date CVE-2026-20182. Cisco released software updates and a security advisory addressing those vulnerabilities in February 2026, strongly recommending customers to upgrade.\\n * We have identified multiple clusters of post-compromise activity, beginning March 2026, associated with the exploitation of CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 that deployed webshells and other malicious tooling, described in this post.\\n * We observed the vast majority of this exploitation involved the use of ZeroZenX labs’ proof-of-concept and accompanying JSP-based webshell which we track as \\”XenShell.\\”\\n\\n\\n\\n* * *\\n\\n## UAT-8616 in-the-wild (ITW) exploitation of CVE-2026-20182\\n\\n\\n\\nTalos is aware of the active, in-the-wild (ITW) exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Manager, that allows log in to the affected system as an internal, high-privileged, non-root user account. Talos clusters the exploitation of this vulnerability and subsequent post-compromise activity under UAT-8616, whom we assess is a highly sophisticated cyber threat actor. UAT-8616 previously exploited a similar vulnerability in Cisco Catalyst SD-WAN Controller, CVE-2026-20127 to gain unauthorized access to SD-WAN systems.\\n\\nUAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor. UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges. Our findings indicate that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities also overlaps with the Operational Relay Box (ORB) networks that Talos monitors closely.\\n\\nCustomers are strongly advised to follow the guidance and recommendations published in Cisco’s Security Advisory on CVE-2026-20182. Customer support is also available by initiating a TAC request. Please refer to the Recommendations and Detection Guidance section for additional coverage information. We also recommend referring to Rapid7’s disclosure on CVE-2026-20182 for additional details.\\n\\n## In-the-wild (ITW) exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128\\n\\nTalos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device. Cisco released software updates and a security advisory addressing these vulnerabilities in February 2026. Following the public release of proof-of-concept code exploiting these vulnerabilities by ZeroZenX Labs in March, we observed the exploitation of the unpatched systems from March to April 2026.\\n\\nTalos has observed several other threat clusters, separate from UAT-8616, leveraging publicly available proof-of-concept exploit code to deploy webshells to affected systems. Following successful exploitation, the webshells would allow the attacker to execute bash commands on the affected system.\\n\\nThe vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying JavaServer Pages (JSP) shell, which we are calling \\”XenShell.\\” However, we observed several other JSP-based webshell variants, which are outlined below.\\n\\n_Note: The CVE referenced in the ZeroZenX Labs proof-of-concept is incorrectly attributed to_ _CVE-2026-20127_ _. Talos ‘ analysis indicates that the targeted CVEs in the proof-of-concept are in-fact CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122._\\n\\nSo far, Talos has observed the following clusters of malicious activity being conducted post successful exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128: Cluster #1 to Cluster #10.\\n\\n### Cluster 1\\n\\nThis cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 6, 2026. Following the exploitation of these CVEs, the threat actor deployed a variant of the Godzilla web shell under the filename \\”20251117022131.jsp\\”. This variant is associated with a publicly available GitHub project.\\n\\nThe following IPs were used to carry out the exploit and subsequently interact with the shell:\\n\\n * 38.181.52[.]89\\n * 89.125.244[.]33\\n * 89.125.244[.]51\\n\\nFigure 1. Tas9er Godzilla shellcode deployed in Cluster #1.\\n\\n### Cluster 2\\n\\nThis cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 10, 2026. Following their exploitation, the threat actor deployed a variant of the Behinder webshell under the filename \\”conf.jsp\\”. This variant has been modified to only use Base64 for encoding, as opposed to AES encryption commonly observed in other variants.\\n\\nThe IP \\”71.80.85[.]135\\” was used to carry out the exploit and interact with the shell.\\n\\nFigure 2. Behinder webshell deployed in Cluster #2.\\n\\n### Cluster 3\\n\\nThis cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 4, 2026. Following successful exploitation, the threat actor deployed XenShell under the name \\”sysv.jsp\\”, before returning hours later to deploy a variant of the Behinder webshell under the filename \\”sysinit.jsp\\”.\\n\\nThe IP \\”212.83.162[.]37\\” was used to carry out the exploit and interact with the shell.\\n\\nFigure 3. Behinder webshell deployed in Cluster #3.\\n\\n### Cluster 4\\n\\nThis cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 3, 2026. Following successful exploitation, the threat actor deployed a variant of the Godzilla webshell under the filename \\”vmurnp_ikp.jsp\\”.\\n\\nThe following IPs are attributed to this cluster:\\n\\n * 38.60.214[.]92\\n * 65.20.67[.]134\\n * 104.233.156[.]1\\n * 194.233.100[.]40\\n\\nFigure 4. Godzilla webshell deployed in Cluster #4.\\n\\n### Cluster 5\\n\\nTalos observed the deployment, beginning March 13, 2026, of a malware agent compiled off the publicly available AdaptixC2 red team framework. The filename was \\”systemd-resolved\\” and the agent’s command and control (C2) is \\”194[.]163[.]175[.]135:4445\\”.\\n\\nThe authors have changed the default TCP banner for the sample from \\”AdapticC2 server\\” to \\”shadowcore\\”. Hosted on Contabo GmbH, this is likely a VPS. As of March 28, 2026, this C2 IP, \\”194[.]163[.]175[.]135\\” hosted:\\n\\n * A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7\\n * Another AdaptixC2 server on port 31337\\n * An open SSH service on port 22, likely for administration of server\\n\\n\\n\\n### Cluster 6\\n\\nIn another cluster of activity, since at least March 5, 2026, Sliver, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename \\”CWan\\”. The Sliver sample’s C2 is \\”mtls:\/\/23.27.143[.]170:443\\”.\\n\\n### Cluster 7\\n\\nIn this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script from the remote location \\”83.229.126[.]195\\”.\\n\\nFigure 5. Download and startup script for XMRig.\\n\\nThis IP, residing in Hong Kong, is also a known C2 server for Cobalt Strike.\\n\\n### Cluster 8\\n\\nActivity observed in Cluster 8 began as early as March 10, 2026. This cluster consisted of a few key malicious tools. The first tool is KScan, an asset mapping tool, that can port scan, TCP fingerprint, capture banners for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute-force cracking and brute-force RDP. The tool’s filename and Go packages have been renamed to \\”QScan\\” by the authors, but it is essentially the same implementation as the open-source GitHub version.\\n\\nThe second tool, named \\”agent1\\”, is a Nim-based implant. It is most likely based on the open-source tools, Nimplant, but is further modified to include:\\n\\n * Additional commands\/capabilities, such as cd to directories; cat files; download and upload files; execute files using bash; and collect system information such as username, hostname, hwid, process listings, etc.\\n * C2 endpoints for communication, registration\/check-ins, obtain tasks, provide results, and more:\\n * \/api\/v1\/handshake\\n * \/api\/v1\/results\\n * \/api\/v1\/payloads\\n * \/api\/v1\/exfiltrate\\n * \/api\/v1\/tasks\\n * \/api\/v1\/init\\n * An RSA public key to be used by the agent to communicate with the C2 hosted on \\”hxxp:\/\/13[.]62[.]52[.]206:5004\\”.\\n\\n\\n\\nThis tool was downloaded and executed post-compromise from the remote location \\”replit[.]dev\\”:\\n\\nFigure 6. Download and startup script for the Nim-based implant.\\n\\nThe attackers executed this command on the compromised system while connected from the source IP \\”79[.]135[.]105[.]208\\”. This is likely a ProtonVPN node.\\n\\nReplit is an AI platform that facilitates building applications using AI. It is therefore likely that the backdoor was created with the help of AI to resemble Nimplant’s functionality with the additional capabilities and deviations listed above.\\n\\n### Cluster 9\\n\\nIn this cluster, since at least March 17, 2026, Talos observed the deployment of an XMRig miner and a peer-based proxying and tunneling tool.\\n\\nThis tool, gsocket, is a peer-based proxying and tunneling tool that allows peers to connect to each other within the Global Socket Relay Network (GSRN). GSRN allows peers to connect to each other using node IDs, which are unique 16-byte identifiers for nodes with the network.\\n\\nThis sample obtains the peer or C2 node to connect to by reading and Base58 decoding the accompanying \\”defunct[.]dat\\” file. The C2 peer ID is:\\n \\n \\n 78 c4 a2 37 56 27 7b b7 de 20 06 76 34 d2 63 c9 \\n \\n\\nThe tool is activated by placing a malicious command in the .profile file:\\n\\n\\n\\nThis decodes to:\\n\\n\\n\\n**XMRig Miner**\\n\\nAccompanying gsocket was a Monero miner and its scripts and configuration files. The miner is also activated via the user profile (.profile):\\n \\n \\n \/tmp\/moneroocean\/miner.sh –config=\/tmp\/moneroocean\/config_background.json \\u003e\/dev\/null 2\\u003e\\u00261\\n \\n\\nThe \\”miner.sh\\” will find all processes named XMRig, kill them, and then start its own copy of XMRig:\\n\\n\\n\\n### Cluster 10\\n\\nThis cluster of activity, since at least Mar 13, 2026, consisted of a credential stealer deployed along with accompanying scripts. The main script, named \\”loot_run.sh\\”, attempted to obtain:\\n\\n * The admin user’s hashdump\\n * JSON Web Tokens (JWT) key chunks that are used for REST API authentication\\n * AWS credentials for vManage: AccesKeyId, SecretAccessKey and Token\\n\\n\\n\\nTwo other helper scripts were also deployed in this cluster to check if the current user could escalate to root. The scripts contained a hardcoded password and used it to execute the command `su root -c id`. The output is checked for the string \\”uid=0(root)\\” to verify successful escalation.\\n\\n## Recommendations and detection guidance\\n\\nCustomers are strongly advised to follow the guidance and recommendations published in Cisco’s Security Advisory on CVE-2026-20182. Customer support is also available by initiating a TAC request. Talos strongly recommends that customers and partners using Cisco Catalyst SD-WAN technology follow the steps outlined in this advisory to help protect their environments. We also recommend referring to Rapid7’s disclosure on CVE-2026-20182 for additional details.\\n\\nSnorts SIDs for CVE-2026-20182 are: 66482 – 66483\\n\\nPlease refer to the official Cisco Security Advisory on CVE-2026-20133, CVE-2026-20122, and CVE-202128 for the latest information regarding affected products, Indicators Of Compromise (IOCs), and mitigation steps.\\n\\nSnort SIDs for CVE-2026-20133: 66468 – 66469\\n\\nSnort SIDs for CVE-2026-20122: 66461 – 66462\\n\\nSnort SIDs for CVE-2026-20128: 66468 – 66469\\n\\nSnort SIDs for the threats detailed in Clusters #1 through 10 are:\\n\\n * Snort2: 66200, 66201, 66202\\n * Snort3: 301461, 301462, 66252\\n\\n\\n\\nClamAV signatures for the malicious tooling associated with these clusters:\\n\\n * Unix.Tool.QScanCrack-10059958\\n * Unix.Backdoor.NimPlant-10059957\\n * Unix.Tool.GSocket-10059956\\n * Unix.Backdoor.JSPZapLoot-10059955\\n * Unix.Backdoor.GopherRAT-10059941\\n * Unix.Backdoor.JSPZap-10059944\\n * Unix.Backdoor.JSPZapExcEnc-10059945\\n * Unix.Backdoor.GopherRAT-10059941\\n\\n\\n\\n## IOCs\\n\\nIOCs for the Clusters detailed above are also available in our GitHub repository here.\\n\\n### Cluster 1\\n\\n * 38.181.52[.]89\\n * 89.125.244[.]33\\n * 89.125.244[.]51\\n\\n\\n\\n### Cluster 2\\n\\n * 71.80.85[.]135\\n\\n\\n\\n### Cluster 3\\n\\n * 212.83.162[.]37\\n\\n\\n\\n### Cluster 4\\n\\n * 38.60.214[.]92\\n * 65.20.67[.]134\\n * 104.233.156[.]1\\n * 194.233.100[.]40\\n\\n\\n\\n### Cluster 5 – AdaptixC2\\n\\n * f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1\\n\\n\\n\\n### Cluster 5 – AdaptixC2 C2 server\\n\\n * 194[.]163[.]175[.]135:4445\\n\\n\\n\\n### Cluster 5 – AdaptixC2 C2 IP\\n\\n * 194[.]163[.]175[.]135\\n\\n\\n\\n### Cluster 6 – Sliver\\n\\n * 02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8\\n\\n\\n\\n### Cluster 6 – Sliver C2 over mTLS\\n\\n * mtls[:\/\/]23.27.143[.]170:443\\n\\n\\n\\n### Cluster 6 – Sliver C2 IP\\n\\n * 23.27.143[.]170\\n\\n\\n\\n### Cluster 7 – XMRig downloader script\\n\\n * 0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0\\n\\n\\n\\n### Cluster 7 – XMRig sample\\n\\n * 96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46\\n\\n\\n\\n### Cluster 7 – XMRig configuration\\n\\n * 7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1\\n\\n\\n\\n### Cluster 7 – XMRig remote location IP\\n\\n * 83[.]229[.]126[.]195\\n\\n\\n\\n### Cluster 7 – XMRig remote URL\\n\\n * hxxp:\/\/83[.]229[.]126[.]195:8081\/xmrig\\n\\n\\n\\n### Cluster 7 – XMRig configuration file remote location\\n\\n * hxxp:\/\/83[.]229[.]126[.]195:8081\/config[.]json\\n\\n\\n\\n### Cluster 8 – Nim-based backdoor\\n\\n * 0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d\\n\\n\\n\\n### Cluster 8 – Download URL for the Nim-based backdoor\\n\\n * hxxps:\/\/1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev\/download\\n\\n\\n\\n### Cluster 8 – Attacker controlled sub-domain hosting the Nim-based backdoor\\n\\n * a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev\\n\\n\\n\\n### Cluster 8 – Attacker IP that downloaded the Nim-based backdoor\\n\\n * 79[.]135[.]105[.]208\\n\\n\\n\\n### Cluster 8 – C2 for Nim-based backdoor\\n\\n * hxxp:\/\/13[.]62[.]52[.]206:5004\\n\\n\\n\\n### Cluster 8 – C2 IP for Nim-based backdoor\\n\\n * 13[.]62[.]52[.]206\\n\\n\\n\\n### Cluster 8 – KScan – scanning tool\\n\\n * 18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80\\n\\n\\n\\n### Cluster 8 – IP related to Nim-based backdoor and KScan\\n\\n * 176[.]65[.]139[.]31\\n\\n\\n\\n### Cluster 9 – gsocket\\n\\n * d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa\\n\\n\\n\\n### Cluster 9 – gsocket secret file\\n\\n * 5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8\\n\\n\\n\\n### Cluster 9 – IP related to Miner activity\\n\\n * 47[.]104[.]248[.]7\\n\\n\\n\\n### Cluster 10 – VManage credential extractor script\\n\\n * b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3\\n\\n\\n\\n### Cluster 10 – Check for root escalation\\n\\n * 72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060\\n * 17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925″,”published”:”2026-05-14T16:02:36″,”modified”:”2026-05-14T16:02:36″,”type”:”talosblog”,”title”:”Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities”,”source”:””,”references”:””,”id”:”TALOSBLOG:51F5173F108B01EE2E227083EBCF7F20″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-20122″,”CVE-2026-20127″,”CVE-2026-20128″,”CVE-2026-20133″,”CVE-2026-20182″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/sd-wan-ongoing-exploitation\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-14T18:05:08″,”description”:”* Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,69,11,5],"class_list":["post-54597","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n