# [CRIT] Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities **Source:** Cisco Talos **Published:** 2026-05-14 **Article:** https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/ ## Threat Profile Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities By Cisco Talos Thursday, May 14, 2026 12:02 Threat Advisory Cisco Talos is tracking the active exploitation of CVE-2026-20182 , an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges … ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-20182` - **CVE:** `CVE-2026-20133` - **CVE:** `CVE-2026-20128` - **CVE:** `CVE-2026-20122` - **CVE:** `CVE-2026-20127` - **IPv4 (defanged):** `38.181.52.89` - **IPv4 (defanged):** `89.125.244.33` - **IPv4 (defanged):** `89.125.244.51` - **IPv4 (defanged):** `71.80.85.135` - **IPv4 (defanged):** `212.83.162.37` - **IPv4 (defanged):** `38.60.214.92` - **IPv4 (defanged):** `65.20.67.134` - **IPv4 (defanged):** `104.233.156.1` - **IPv4 (defanged):** `194.233.100.40` - **IPv4 (defanged):** `194.163.175.135` - **IPv4 (defanged):** `23.27.143.170` - **IPv4 (defanged):** `83.229.126.195` - **IPv4 (defanged):** `13.62.52.206` - **IPv4 (defanged):** `79.135.105.208` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1071** — Application Layer Protocol - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1133** — External Remote Services - **T1505.003** — Server Software Component: Web Shell - **T1071.001** — Application Layer Protocol: Web Protocols - **T1573.002** — Encrypted Channel: Asymmetric Cryptography - **T1095** — Non-Application Layer Protocol - **T1036.005** — Masquerading: Match Legitimate Name or Location - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1071.001** — Application Layer Protocol - **T1098.004** — Account Manipulation: SSH Authorized Keys - **T1543** — Create or Modify System Process - **T1548.003** — Abuse Elevation Control Mechanism: Sudo and Sudo Caching - **T1496** — Resource Hijacking ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Inbound exploit attempt to Cisco Catalyst SD-WAN Manager from known UAT-8616 / Cluster IPs `UC_302_4` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where All_Traffic.src_ip IN ("38.181.52.89","89.125.244.33","89.125.244.51","71.80.85.135","212.83.162.37","38.60.214.92","65.20.67.134","104.233.156.1","194.233.100.40") AND All_Traffic.dest_port IN (443,8443,830,4566,22) by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dest_hostname | `drop_dm_object_name(All_Traffic)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let UAT8616_ExploitIPs = dynamic(["38.181.52.89","89.125.244.33","89.125.244.51","71.80.85.135","212.83.162.37","38.60.214.92","65.20.67.134","104.233.156.1","194.233.100.40"]); DeviceNetworkEvents | where Timestamp > ago(60d) | where RemoteIP in (UAT8616_ExploitIPs) or LocalIP in (UAT8616_ExploitIPs) | where RemotePort in (443,8443,830,4566,22) or LocalPort in (443,8443,830,4566,22) | project Timestamp, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### XenShell / Godzilla / Behinder JSP webshell file write on Cisco SD-WAN Manager `UC_302_5` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.action=created AND (Filesystem.file_name IN ("20251117022131.jsp","conf.jsp","sysv.jsp","sysinit.jsp","vmurnp_ikp.jsp") OR Filesystem.file_path="*/vmanage/*webapps/*.jsp") by Filesystem.dest Filesystem.file_path Filesystem.file_name Filesystem.user Filesystem.process_path | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let WebshellNames = dynamic(["20251117022131.jsp","conf.jsp","sysv.jsp","sysinit.jsp","vmurnp_ikp.jsp"]); DeviceFileEvents | where Timestamp > ago(60d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FileName in~ (WebshellNames) or (FileName endswith ".jsp" and FolderPath has_any ("/vmanage/","/webapps/","/opt/web-app/","/tomcat/webapps/")) | project Timestamp, DeviceName, ActionType, FolderPath, FileName, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Timestamp desc ``` ### AdaptixC2 'shadowcore' / Mythic C2 traffic to UAT-8616 infrastructure 194.163.175.135 `UC_302_6` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_ip="194.163.175.135" AND All_Traffic.dest_port IN (4445,7443,31337,22) by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.app | `drop_dm_object_name(All_Traffic)` | convert ctime(firstTime) ctime(lastTime) | appendcols [| tstats summariesonly=t count from datamodel=Certificates.All_Certificates where All_Certificates.ssl.ssl_serial="fece5b954e69b2c6a8d0a1029631a0d7" by All_Certificates.ssl.ssl_serial All_Certificates.dest] ``` **Defender KQL:** ```kql let C2_IP = "194.163.175.135"; let C2_Ports = dynamic([4445, 7443, 31337]); DeviceNetworkEvents | where Timestamp > ago(60d) | where RemoteIP == C2_IP | where RemotePort in (C2_Ports) or RemotePort == 22 | project Timestamp, DeviceName, ActionType, LocalIP, LocalPort, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Timestamp desc ``` ### AdaptixC2 'systemd-resolved' or Sliver 'CWan' implant on Linux / SD-WAN host `UC_302_7` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="systemd-resolved" AND Processes.process_path!="/lib/systemd/systemd-resolved" AND Processes.process_path!="/usr/lib/systemd/systemd-resolved") OR Processes.process_name="CWan" OR match(Processes.process,"194\.163\.175\.135") OR match(Processes.process,"23\.27\.143\.170") by Processes.dest Processes.user Processes.process_name Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let C2_IPs = dynamic(["194.163.175.135","23.27.143.170"]); let ImpostorPaths = dynamic(["/lib/systemd/systemd-resolved","/usr/lib/systemd/systemd-resolved","/usr/libexec/systemd/systemd-resolved"]); union isfuzzy=true (DeviceProcessEvents | where Timestamp > ago(60d) | where (FileName =~ "systemd-resolved" and FolderPath !in~ (ImpostorPaths)) or FileName =~ "CWan" or ProcessCommandLine has_any ("194.163.175.135","23.27.143.170") | project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName), (DeviceNetworkEvents | where Timestamp > ago(60d) | where RemoteIP in (C2_IPs) | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessAccountName) | order by Timestamp desc ``` ### UAT-8616 post-compromise on SD-WAN: SSH key add, NETCONF edit, su root, XMRig miner.sh `UC_302_8` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process IN ("*su root*-c*id*","*/tmp/moneroocean/miner.sh*","*config_background.json*") OR (Processes.process="*authorized_keys*" AND Processes.process_name IN ("bash","sh","tee","echo","cat")) OR (Processes.process="*edit-config*" AND Processes.process="*netconf*")) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(60d) | where (ProcessCommandLine has "su root" and ProcessCommandLine has "-c" and ProcessCommandLine has "id") or ProcessCommandLine has_any ("/tmp/moneroocean/miner.sh","config_background.json","moneroocean") or (ProcessCommandLine has "authorized_keys" and FileName in~ ("bash","sh","tee","echo","cat","dd","cp")) or (ProcessCommandLine has "edit-config" and ProcessCommandLine has "netconf") | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Article-specific behavioural hunt — Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities `UC_302_3` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("miner.sh","loot_run.sh")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/tmp/moneroocean/miner.sh*" OR Filesystem.file_path="*/tmp/moneroocean/config_background.json*" OR Filesystem.file_path="*/dev/null*" OR Filesystem.file_name IN ("miner.sh","loot_run.sh")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("miner.sh", "loot_run.sh")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/tmp/moneroocean/miner.sh", "/tmp/moneroocean/config_background.json", "/dev/null") or FileName in~ ("miner.sh", "loot_run.sh")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `38.181.52.89`, `89.125.244.33`, `89.125.244.51`, `71.80.85.135`, `212.83.162.37`, `38.60.214.92`, `65.20.67.134`, `104.233.156.1` _(+6 more)_ - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-20182`, `CVE-2026-20133`, `CVE-2026-20128`, `CVE-2026-20122`, `CVE-2026-20127` ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 9 use case(s) fired, 17 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.