Critical Authentication Bypass Added to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a severe authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies are required to remediate the issue by May 17, 2026. The flaw, rated at the maximum severity level of 10.0, allows an unauthenticated remote attacker to bypass authentication mechanisms and gain full administrative privileges on affected systems.
Threat Actor Activity and Post Compromise Actions
Cisco has attributed active exploitation of this vulnerability to a threat cluster tracked as UAT 8616. This same group was previously linked to the weaponization of another SD WAN flaw that allowed unauthorized access. After successfully exploiting the authentication bypass, UAT 8616 was observed adding SSH keys, modifying NETCONF configurations, and attempting to escalate to root privileges. Cisco Talos assesses that the infrastructure used by this actor overlaps with Operational Relay Box (ORB) networks.
Broader Exploitation Campaign
Since March 2026, at least 10 distinct threat clusters have been exploiting a chain of three other Cisco SD WAN vulnerabilities. Attackers are leveraging publicly available proof of concept exploit code to deploy web shells on compromised systems. One notable web shell, named XenShell, was built using a proof of concept released by security researchers. These web shells allow operators to execute arbitrary bash commands on affected devices, enabling persistent access and further network compromise.
Source: The Hacker News
