CRITICAL Cisco Catalyst SD-WAN AUTHENTICATION BYPASS CVE-2026-20182 Exploitation Campaign
Indicators of Compromise
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REF
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
T1190 | Exploit Public-Facing Application | Initial Access | Inspect /var/log/auth.log and SD-WAN Controller audit logs for `Accepted publickey for vmanage-admin` entries originating from unknown or unauthorised IP addresses; cross-reference against authorised peer inventories and administrative jump-host ranges. | /var/log/auth.log (SD-WAN Controller), Cisco Catalyst SD-WAN audit logs, SIEM correlation |
T1190 | Exploit Public-Facing Application | Initial Access | Run `show control connections detail` and `show control connections-history detail`; flag peer entries with state:up combined with challenge-ack:0, peers claiming device type 2 (vHub) where no vHub is deployed, and peering events outside of documented maintenance windows. | Cisco Catalyst SD-WAN show-commands, admin-tech bundle, vdebug logs |
T1098.004 | Account Manipulation: SSH Authorized Keys | Persistence | Continuous integrity monitoring of /home/vmanage-admin/.ssh/authorized_keys and /home/root/.ssh/authorized_keys; alert on any addition, modification, or deletion. | auditd (path watches), Sysmon for Linux EID 11, EDR file-integrity telemetry |
T1078 | Valid Accounts | Initial Access | Audit Cisco Catalyst SD-WAN Manager for unexpected administrative users; review the system-login-change notifications (e.g. `Notification: system-login-change ... user-name:"root"`) for unaccounted interactive root sessions on production systems. | vManage user audit, vsyslog, syslog, SD-WAN notification stream |
T1543 | Create or Modify System Process | Persistence | Inspect /etc/ssh/sshd_config for PermitRootLogin transitioning from no to yes; alert on any sshd configuration change on Controller or Manager appliances. | auditd (file-watch on /etc/ssh/sshd_config), configuration management telemetry |
T1574 | Hijack Execution Flow (Software Downgrade) | Privilege Escalation / Defense Evasion | Alert on unexpected SD-WAN appliance reboots followed by detectable version changes; correlate with downgrade-and-restore patterns characteristic of UAT-8616's CVE-2022-20775 abuse. | Cisco Catalyst SD-WAN upgrade logs, admin-tech version history, change-management records |
T1070 | Indicator Removal on Host | Defense Evasion | Detect missing or unexpectedly truncated bash_history, cli-history, vsyslog and vdebug entries on control components; correlate gaps with prior administrative-session telemetry. | Remote SIEM ingestion of vsyslog/vdebug, bash_history shipping, EDR forensic snapshots |
T1090.003 | Proxy: Multi-hop Proxy | Command and Control | Hunt for outbound connections from SD-WAN control components to ORB-class infrastructure; flag long-lived sessions with consistent jitter and low-reputation destinations. | NetFlow / IPFIX, TLS metadata (JA3/JA4), egress proxy / NGFW logs |
T1505.003 | Server Software Component: Web Shell (related cluster) | Persistence | For the parallel CVE-2026-20133 / -20128 / -20122 chain on unpatched vManage, hunt for the JSP-based XenShell (ZeroZenX Labs PoC derivative) and the Godzilla webshell; inspect web-root directories for unexpected .jsp files. | vManage web-server logs, file-integrity monitoring on web roots, WAF / reverse-proxy logs |