Bottom line: CISA has added a critical authentication vulnerability (CVE-2026-93) in Cisco SD-WAN Controller to its KEV catalog. Federal agencies must patch by May 2026. The threat group UAT-8616 is already actively exploiting the vulnerability; at least ten threat groups are exploiting related vulnerabilities and installing web shells on systems.
The U.S. Cybersecurity and Infrastructure Security Agency CISA has added a critical authentication vulnerability in Cisco Catalyst SD-WAN Controller software to its catalog of known exploited vulnerabilities. Federal agencies must remediate the vulnerability by May 17, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added on Thursday a newly disclosed vulnerability in Cisco Catalyst SD-WAN Controller to its catalog of known exploited vulnerabilities (KEV). Federal executive agencies must remediate the vulnerability by May 17, 2026.
The vulnerability is a critical authentication vulnerability registered as CVE-2026-93 and receives a perfect score of 10.0 on the CVSS scale – the highest possible severity rating. According to CISA, the vulnerability “allows an unauthenticated remote attacker to bypass authentication and obtain administrator privileges on an affected system”.
Cisco confirms in a separate report with high confidence that threat group UAT-8616 – the same group that previously exploited CVE-2026-20127 – is already actively exploiting CVE-2026-20182. The attackers performed similar post-compromise actions as in earlier attacks: adding SSH keys, modifying NETCONF settings, and obtaining root access. The infrastructure of UAT-8616 partially overlaps with so-called Operational Relay Box (ORB) networks.
Security experts also observed that multiple threat groups have been exploiting vulnerabilities CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026. When these three vulnerabilities are combined, they enable an unauthenticated attacker to obtain unauthorized access to the devices. These were already added to the CISA KEV catalog last month.
Attackers use publicly available exploit code to install web shells on compromised systems and execute arbitrary Bash commands. A JSP-based web shell called XenShell was identified as it is based on a proof-of-concept from ZeroZenX Labs. At least ten distinct threat groups have been linked to exploiting these three vulnerabilities. Cluster 1 (active since at least March 6, 2026) deploys the Godzilla web shell, while Cluster 28 (active since at least March 2026) uses the Behinder web shell.