Critical Cisco Zero-Day Exploited by Persistent Threat Group: CVE-2026-20182 Under Active Attack

A critical zero-day vulnerability in Cisco’s network infrastructure software is under active exploitation by a persistent threat group. The flaw, identified as CVE-2026-20182, affects Cisco Catalyst SD-WAN Controller and Manager and has been assigned a maximum CVSS score of 10.

Threat Group Behind Ongoing Attacks

Cisco disclosed in a threat advisory on Thursday that the threat group responsible for the attacks is linked to a series of previously disclosed vulnerabilities in the company’s firewalls and SD-WAN systems. The group, designated as UAT-8616 by Cisco Talos researchers, has been active for at least three years.

Douglas McKee, director of vulnerability intelligence at Rapid7, described the vulnerability in stark terms:

"An attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without properly validating it, they can obtain the highest level of administrative access. That is the cybersecurity version of a Jedi mind trick."

Timeline of Discovery and Exploitation

Rapid7 discovered and reported the vulnerability to Cisco on March 9. Cisco confirmed that limited exploitation of the flaw had occurred earlier in the month. The vendor released a patch and disclosed the vulnerability on the same day, while the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities Catalog.

Cisco did not provide details about the two-month gap between discovery and public disclosure. The company has faced a surge of actively exploited vulnerabilities in its network edge software since late February, with CISA adding seven such vulnerabilities to its catalog in less than three months.

Chained Exploits and Widespread Impact

Cisco Talos researchers warned that UAT-8616 and at least 10 other threat groups have chained together to achieve widespread in-the-wild exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure. These include:

• CVE-2026-20122
• CVE-2026-20128
• CVE-2026-20133

Cisco previously disclosed and released patches for these vulnerabilities in February. Rapid7’s discovery of CVE-2026-20182 stemmed from research into CVE-2026-20127, another zero-day identified and confirmed as actively exploited by UAT-8616 in late 2025 by the Five Eyes alliance.

Recommendations and Mitigation

Cisco urged customers to apply the available fixed software releases and follow the guidance provided in its advisories and the Cisco Talos blog. The company declined to comment on the origins or motivations of UAT-8616.

A spokesperson for Cisco stated:

"We strongly recommend customers apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog."