SOC Incident Toolkit
Back to Campaigns
CRITICAL Cisco Catalyst SD-WAN AUTHENTICATION BYPASS CVE-2026-20182 Exploitation Campaign

CRITICAL Cisco Catalyst SD-WAN AUTHENTICATION BYPASS CVE-2026-20182 Exploitation Campaign

CVE-2026-20182CVE-2026-20127CVE-2022-20775CVE-2026-20133CVE-2026-20122Cisco Catalyst SD-WANvSmartvManageAuthentication BypassPeering AuthenticationvdaemonDTLSNETCONFvmanage-adminSSH Key InjectionUAT-8616ORB NetworkOperational Relay BoxXenShellGodzilla WebshelZeroZenX LabsEmergency Directive 26-03Critical Infrastructure Targeting

A highly sophisticated threat actor tracked by Cisco Talos as UAT 8616 active against Cisco SD-WAN infrastructure since at least 2023 and operating from Operational Relay Box (ORB) networks — has been observed exploiting CVE-2026-20182, a critical (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller (vSmart) and Manager (vManage) via the vdaemon DTLS peering service on UDP/12346.

Indicators of Compromise

Domains (5)

image.update-kaspersky.workers.devmsiidentity.comupdate-kaspersky.workers.devtrafficmanagerupdate.comwww.drivelivelime.com

Hashes (20)

35b2a5260b21ddb145486771ec2b1e4dc1f5b7f2275309e139e4abc1da0c614bB19bfca2fc3fdabf0d0551c2e66be895e49f92aedac56654b1b0f51ec66e7404843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c1139b39d3cc151ddd3d574617cf113608127850197e9695fef0b6d78df82d6ca199bd156c81b2ef4fb259467a20eacaa9d861eeb2002f1570727c2f9ff1d5dabE74098b17d5d95e0014cf9c7f41f2a4e4be8baefc2b0eb42d39ae05a95b08ea545cd169bf9cd7298d972425ad0d4e98512f29de4560a155101ab7427e4f4123f4109f15056414f25140c7027092953264944664480dd53f086acb8e07d9fccab2b627f6afe1364a7d0d832ccba87ef33a8a39f30a70a5f395e2a3cb0e2161cb3343105919aa6df8a75ecb8b06b74f23a7d3e221fca56c67b728c50ea141314bc51f0cf80a56f322892eed3b9f5ecae45f1431323600edbaea5cd1f28b437f6f29f115e9b32111e4dc29343a2671ab10a2b38448657b24107766dc14ce528fceb3dec6703b2cbc6157eb67e80061d27f9190c8301c9dd60eb0be1e8b096482d7e7c593ca40725765a0747cc3100b43a29b88ad1708ef77e915ab02686c01530017d9c70fc36143eb33583c30430dcb40cf9d306067594cc30ffd113063acd6292Ee56c49f42522637f401d15ac2a2b6f3423bfb2d5d37d071f0172ce9dc688d4bFb6cebadd49d202c8c7b5cdd641bd16aac8258429e8face365a94bd32e253b00F859a67ceebc52f0770a222b85a5002195089ee442eac4bea761c29be994e2ea071e662fc5bc0e54bcfd49493467062570d0307dc46f0fb51a68239d281427c61bb59491f7289b94ab0130d7065d74d2459a802a7550ebf8cd0828f0a09c4d38

IPv4 (8)

85.209.156.338.54.32.24445.135.135.100185.238.189.4188.151.195.13345.140.168.62103.27.108.55156.238.224.82

APT Groups

UAT-8616

null

Notes

<b>CONCLUSION</b><br><br><div><span id="docs-internal-guid-7b88dc47-7fff-957a-30fd-a48f855c489e"><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CVE-2026-20182 is the second critical authentication bypass disclosed in the Cisco Catalyst SD-WAN vdaemon DTLS peering service inside three months and the sixth SD-WAN flaw publicly observed to be exploited in 2026. Rapid7 found the issue while researching the still-active CVE-2026-20127 and confirmed it is not a patch bypass but a separate logic flaw in the same code path: the vdaemon peer-handshake routine has no certificate-validation logic for a peer that self-declares as a vHub device, yet still promotes the peer to UP state. An attacker can therefore complete a DTLS handshake with any certificate, send a CHALLENGE_ACK declaring device type 2 (vHub), and become a trusted control-plane peer over UDP/12346 without credentials. Post-authentication, the actor uses ordinary NETCONF and SSH-key-injection primitives, including writing a public key into /home/vmanage-admin/.ssh/authorized_keys and logging in on TCP/830, to manipulate the entire SD-WAN fabric. Cisco Talos attributes the in-the-wild exploitation with high confidence to UAT-8616, a sophisticated actor whose infrastructure overlaps with Operational Relay Box (ORB) networks and whose prior tradecraft against CVE-2026-20127 included downgrading the SD-WAN software to re-expose CVE-2022-20775, escalating to root, then restoring the original version to obscure their tracks. For SOC operations the priorities are sequenced: capture an admin-tech bundle from every control component before any change, upgrade to the fixed releases, audit /var/log/auth.log for `Accepted publickey for vmanage-admin` from unknown IPs, validate every peer in `show control connections detail` against asset inventory, rotate the vmanage-admin and root credentials on every appliance that was Internet-reachable during the exposure window, and rebuild from known-good golden images when indicators of compromise are present.&nbsp;</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span><div><br></div></div>

Mitigation

MITIGATION<br><span id="docs-internal-guid-8578ebe1-7fff-c2c2-e806-5034da47bcff"><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">REF: </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">https://attack.mitre.org/</a></span></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><tbody><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;background-color:#ddeaf6;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1190</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exploit Public-Facing Application</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1051</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Update Software — Upgrade Cisco Catalyst SD-WAN Controller and Manager to fixed builds: 20.9.9.1 (20.9), 20.12.5.4 / 20.12.6.2 / 20.12.7.1 (20.10–20.12), 20.15.4.4 / 20.15.5.2 (20.15), 20.18.2.2 (20.18), 26.1.1.1 (26.1). Cisco Managed Cloud 20.15.506 was remediated without customer action. There are no workarounds. Run `request admin-tech` on every control component before upgrading to preserve forensic evidence.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1190</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exploit Public-Facing Application</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1037</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Restrict access to the vdaemon DTLS peering service on UDP/12346 to known, authorised SD-WAN peer addresses; do not expose control-plane peering to the public Internet. Reduce the attack surface of the management plane (NETCONF over SSH on TCP/830 and HTTPS on TCP/443/8443) by ACL or VPN-fronting.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1190</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exploit Public-Facing Application</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1030</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Segmentation — Place Cisco Catalyst SD-WAN Manager (vManage) and Controller (vSmart) on a dedicated administrative network reachable only from authorised jump hosts or zero-trust gateways. Follow Cisco's Catalyst SD-WAN Hardening Guide.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1133</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">External Remote Services</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1035</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Limit Access to Resource Over Network — Inventory and audit expected peer relationships within the SD-WAN fabric; lock controller peering services to allow-listed peer networks only.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1078</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Valid Accounts</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access / Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1027</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Password Policies — Rotate credentials for the vmanage-admin and any other internal high-privileged accounts on every appliance that was Internet-exposed during the disclosure and exploitation window.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1098.004</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Account Manipulation: SSH Authorized Keys</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1022</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict File and Directory Permissions — Continuously monitor /home/vmanage-admin/.ssh/authorized_keys and /home/root/.ssh/authorized_keys for unexpected entries; alert on file modifications and on changes to /etc/ssh/sshd_config (in particular, PermitRootLogin transitioning to yes).</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1059</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Scripting Interpreter</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1038</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention — Audit and restrict NETCONF write operations; require change-management approval for configuration pushes from the controller and alert on out-of-band NETCONF sessions to TCP/830.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1574.002</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Hijack Execution Flow: Component Object Model Hijacking (Software Downgrade analogue)</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privilege Escalation</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1051</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Update Software — Detect and prevent unauthorised version downgrades; UAT-8616 has been observed downgrading to expose CVE-2022-20775 for root, then restoring the original version to conceal activity. Enforce signed-image policies and alert on unexpected reboots tied to software-version changes.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1070</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Indicator Removal on Host</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1029</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remote Data Storage — Ship vdebug, vsyslog, messages, and auth logs from every control component to a remote SIEM in near-real time so that on-device log clearing by the actor does not destroy evidence.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1071.001</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Application Layer Protocol: Web Protocols</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1031</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention — Deploy egress inspection for SD-WAN management-plane segments capable of identifying anomalous outbound HTTPS and beacons toward ORB-class infrastructure.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1090.003</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Proxy: Multi-hop Proxy (ORB Network)</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1037</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:top;padding:5pt 6pt 5pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Block outbound traffic from SD-WAN control components to non-business destinations; treat traffic to known ORB-class IP ranges as high-priority alerts.</span></p></td></tr></tbody></table></div></span>