Two critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN are already being actively exploited as zero-days, allowing attackers to change the entire network configuration. Cloud infrastructure, DevOps teams, and large corporate WAN fabrics are under attack.
The latest F5 Labs bulletin records massive attacks on Cisco Catalyst SD-WAN Controller and Manager: a chain of at least five CVEs with a CVSS rating of up to 10.0 is already being used by more than a dozen separate groups. This is not just about DDoS or stealing individual accounts—attackers gain privileged access to SD-WAN controllers and can centrally rewrite routing, VPN, and security policies. For companies actively using hybrid and multi-cloud architectures with SD-WAN overlays over AWS, Azure, and Google Cloud, this is a direct risk of losing control over traffic and access to Kubernetes clusters and internal services. Companies like Alashed IT (it.alashed.kz), supporting complex cloud landscapes and DevOps pipelines, already recommend urgent updates and a review of access models.
Clouds and DevOps Under Attack: Details of Attacks on Cisco SD-WAN
According to the new Weekly Threat Bulletin from F5 Labs, the focus of attacks has been on Cisco Catalyst SD-WAN Controller and Manager, as well as related SD-WAN Software components. The key vulnerabilities are CVE-2026-20182 and CVE-2026-20127, both with a maximum CVSSv3 rating of 10.0 and related to critical authentication bypass. Researchers have recorded active exploitation of CVE-2026-20182 as a zero-day since at least 2023 by an advanced group identified as UAT-8616. This means that a significant portion of corporate SD-WAN deployments may have been compromised long before public disclosure.
In addition to these two critical CVEs, a chain of CVE-2026-20133 (information disclosure, CVSS 7.5), CVE-2026-20128 (credential access, CVSS 7.5), and CVE-2026-20122 (arbitrary file overwrite, CVSS 5.4) is used in attacks. In total, F5 Labs links the exploitation of these vulnerabilities to at least 11 different 'threat clusters', indicating widespread criminalization of the exploit after the release of public proof-of-concept code. The attack vector is most dangerous for DevOps teams: the SD-WAN controller often has direct connectivity to VPN gateways, cloud VPCs (AWS, Azure, Google Cloud), and Kubernetes edge clusters.
Successful exploitation of CVE-2026-20182 and CVE-2026-20127 gives attackers privileged access to internal accounts on the SD-WAN Controller, allowing them to change routes, QoS policies, IPsec tunnel parameters, and network segmentation. In recorded incidents, UAT-8616 additionally used CVE-2022-20775 (privilege escalation via path traversal in CLI, CVSS 7.8) through software rollback to gain root access, deploy their own SSH keys, create hidden accounts, and clear logs. This scenario turns the SD-WAN controller into a persistent post-exploitation hub from which to launch further attacks on cloud accounts, CI/CD systems, and internal services.
Of particular concern is the fact that all Cisco Catalyst SD-WAN Controller, Manager, and a number of SD-WAN Software components are affected, regardless of the type of configuration and deployment model—whether on-premises, virtual controllers in VMware, instances in AWS, or hosted by service providers. For DevOps and SRE teams, this means that the familiar 'cloud plus secure WAN overlay' model can no longer be considered reliable without urgent patching and access control review.
How Attacks on Cisco SD-WAN Impact AWS, Azure, Google Cloud, and Kubernetes
SD-WAN has long been perceived as a secure and manageable layer over public clouds, allowing data centers, offices, and cloud regions AWS, Azure, and Google Cloud to be connected into a unified fabric network. However, in the current campaign, attackers are effectively taking on the role of the 'central orchestrator' of this layer. By gaining privileged access to the SD-WAN Controller, attackers can reconfigure routes to virtual networks in the clouds, change the next-hop for traffic to Kubernetes clusters, CI/CD agents, and Git repositories, or silently insert their proxies and inspection.
In a practical scenario described by F5 Labs, an attacker, after gaining access to the controller, changes the IPsec tunnel parameters to a branch where the local Kubernetes image registry is located, and redirects part of the traffic to their own server. This opens the way to container image substitution, backdoor insertion into GitLab CI or GitHub Actions pipelines, and theft of secrets from Kubernetes (e.g., AWS IAM roles, Google Cloud service accounts, Azure Storage access keys). Even when using tools like HashiCorp Vault or built-in secrets managers in AWS Secrets Manager and Google Secret Manager, compromising the network layer can give attackers additional opportunities for lateral movement.
An important detail for DevOps teams: F5 Labs records attacks on Cloud Infrastructure, IT, and DevOps industries, financial services, telecoms, healthcare, industry, and utilities. This shows that the target is not just individual corporations, but the entire layer of cloud infrastructure operators and service providers, which then serve as a 'bridge' to dozens and hundreds of client environments. Companies like Alashed IT (it.alashed.kz), which build and maintain multi-cloud landscapes, SD-WAN fabrics, and Kubernetes platforms for clients, are effectively on the front line: one vulnerable controller potentially opens access to several client organizations.
An additional risk is that SD-WAN is integrated into the modern platform engineering model. Platform engineering teams often provide developers with 'golden paths'—ready-made infrastructure-as-code templates, including routes to AWS, Azure, and GCP, connection to centralized logs, and observability services. If the SD-WAN is under the control of an attacker, all these 'golden paths' start leading through points controlled by the attacker. This turns the beautiful architecture of DevOps and GitOps into a delivery and masking channel for attacks, rather than just a tool for accelerating development.
Why This is Critical Today: CISA Directive and Attack Window
The criticality of the current campaign is underscored by the response of regulators. The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, requiring federal agencies to remediate Cisco SD-WAN vulnerabilities by May 17 and has added all related CVEs to the Known Exploited Vulnerabilities catalog. For the global market, this is a signal: these are not theoretical bugs, but actively exploited vulnerabilities, and ignoring them can lead to direct incidents, including downtime of business-critical services and data breaches.
Cisco claims to have released fixes for all identified vulnerabilities, but the attack window remains open for those organizations where patch management and DevSecOps processes are not mature enough. According to industry research, the average time to deploy critical patches in large companies often exceeds 30 days, and in complex distributed SD-WAN networks—up to 60 days. During this period, attackers, already possessing working exploits and scanners, can mass-find unprotected controllers, automating the attack. Moreover, the chain includes CVE-2022-20775, which has existed since 2022, confirming that attackers are effectively combining new and old vulnerabilities.
Today's situation is complicated by the overall growth of business dependence on clouds and DevOps infrastructure. By 2026, according to major analytical firms, more than 70 percent of medium and large enterprises will use hybrid architectures with multiple cloud providers and SD-WAN overlays. Many of these architectures were built on the principle of 'network perimeter plus Zero Trust at the identity level', but compromising a centralized SD-WAN controller calls into question even well-implemented Zero Trust approaches, as traffic can be covertly redirected and policies altered.
This is why, for teams responsible for clouds, DevOps, and platform engineering, the issue of patching Cisco SD-WAN today is not just another backlog item, but a business risk issue. The temporary window between the publication of exploits, the CISA directive, and the actual closure of vulnerabilities on all instances can be the defining factor separating a minor incident from a major IT security crisis.
What DevOps and Platform Engineering Should Do Now: Practical Steps
For DevOps, SRE, and platform engineering teams, the first steps should be as specific as possible. Firstly, inventory: it is necessary to obtain an accurate list of all instances of Cisco Catalyst SD-WAN Controller, Manager, and related components within the next 24-72 hours, including virtual deployments in AWS, Azure, and Google Cloud, as well as service providers. Secondly, version checking of software with published Cisco patches and a plan for urgent updates. In large organizations, this may require temporary windows and coordination with business units, but delaying the update to 'after the quarter' in the current conditions is risky.
In parallel, additional detection measures should be implemented. F5 Labs points to specific indicators of compromise: unusual log entries about authentication by public keys, suspicious changes to control connections, the appearance of unauthorized SSH keys, and the inclusion of root login. DevOps teams can integrate these indicators into existing monitoring and SIEM systems: for example, setting up alerts in Prometheus/Grafana, Elastic Stack, Datadog, or Azure Monitor that trigger on configuration changes to SD-WAN controllers outside of approved GitOps pipelines.
For mature platform teams, a logical step would be to review the access model to SD-WAN as part of the platform. This involves moving the configuration to infrastructure-as-code (Terraform, Ansible, Pulumi) with clear Git code reviews, restricting direct access to the controller's web interface, and strengthening authentication through SSO and MFA. Companies like Alashed IT (it.alashed.kz), which build and maintain GitOps approaches for clients, already recommend moving any manual changes to SD-WAN configurations to separate, well-logged pipelines, so that any deviations from this process immediately fall into the spotlight.
Finally, a tabletop exercise is needed: what will happen if the SD-WAN controller is compromised tomorrow? Who will disconnect suspicious tunnels, how quickly can you switch to backup routes in the clouds, does the business have a clear communication plan in case of network connectivity disruption? The answers to these questions are just as important as applying the patch, because the attacks by UAT-8616 and other groups show: in the event of a real incident, the clock will be ticking in hours, not weeks.
The Role of Cloud and DevOps Partners: How Companies Like Alashed IT Help
For many organizations in Kazakhstan and Central Asia, the problem is that internal IT and DevOps teams simply do not have the resources to simultaneously monitor all vendor bulletins, patch SD-WAN, maintain Kubernetes, cloud infrastructure, and develop new services. Here, outsourcing and managed service partners come to the fore. Companies like Alashed IT (it.alashed.kz), working with multi-cloud architectures and DevOps practices, can take on at least three critical blocks: vulnerability monitoring and bulletins, rapid patch deployment, and continuous auditing of network and cloud configuration.
In practical terms, this is expressed in services like managed SD-WAN and managed Kubernetes: the partner not only designs the architecture but also signs up for SLA on software updates and security. For example, when Cisco patches for CVE-2026-20182 and related vulnerabilities are released, an external team can prepare an update plan within 24-48 hours, test it on staging controllers, and, after agreement with the customer, perform the update in production, minimizing downtime. For internal teams, this eliminates the need to keep narrow SD-WAN specialists on staff and constantly monitor the entire array of CVEs and vendor recommendations.
Another area is building platform engineering as a service. Here, partners help integrate SD-WAN, clouds (AWS, Azure, Google Cloud), Kubernetes, and CI/CD into a single platform with centralized security management. It includes mandatory processes: regular security review of infrastructure code, automatic configuration drift checks, integration with SIEM and SOAR for incident response. As a result, companies get not just a set of disparate technologies, but a coherent ecosystem where a vulnerability in one layer—for example, SD-WAN—is detected and localized faster.
For medium-sized businesses, the economic aspect is important. Instead of investing in purchasing expensive on-premises solutions and expanding their own staff, they can use a combination of cloud services and managed services. In conditions where attacks on the infrastructure level are becoming a regular agenda, it is increasingly difficult for businesses to justify the 'do-it-yourself' model. Transitioning to a partner model with players like Alashed IT allows transferring some operational and investment risks to the contractor while maintaining control over key business processes and data.
Что это значит для Казахстана
For Kazakhstan and Central Asia, the current wave of attacks on Cisco SD-WAN has direct practical significance. Large banks, telecom operators, mining companies, and government structures in the region are actively modernizing their networks, moving from classical MPLS to SD-WAN and hybrid architectures using AWS, Azure, and local data centers. In such projects, the SD-WAN controller is often placed in the cloud or with an integrator and becomes the key point of control for routing between branches in Astana, Almaty, Shymkent, and overseas offices.
According to local market players, the share of medium and large companies already using elements of SD-WAN or planning to implement them within the next 12 months could reach 40-50 percent in the financial and telecom sectors. This means that Cisco's described vulnerabilities are quite relevant for a significant part of the corporate infrastructure of Kazakhstan. An additional risk factor is the common practice of placing SD-WAN and network screen management in the same circuits as Kubernetes cluster and cloud virtual machine management. If the controller is compromised, internal services, client mobile applications, and analytics platforms potentially come under threat.
In these conditions, it is advisable for regional companies to rely on local partners with expertise in clouds and DevOps. Companies like Alashed IT (it.alashed.kz) better understand the specifics of regulatory requirements, the characteristics of communication channels within the country, and scenarios for working with local and global cloud providers. This allows them to create practical remediation plans: from express Cisco SD-WAN audits and compromise indicators checks to setting up regular patching processes and implementing Zero Trust approaches. As a result, the business gets not just a 'patch installed', but a sustainable cloud and network exploitation model adapted to the realities of Kazakhstan and neighboring markets.
Critical Cisco Catalyst SD-WAN vulnerability CVE-2026-20182 with a CVSS rating of 10.0 has been exploited as a zero-day since at least 2023 by the UAT-8616 group.
Attacks on Cisco Catalyst SD-WAN show that not only individual servers or applications are under attack, but also the'skeleton' of modern cloud infrastructure. Compromising the SD-WAN controller allows attackers to centrally manage traffic between data centers, clouds, and Kubernetes clusters, undermining familiar security models. For companies actively investing in DevOps, platform engineering, and multi-cloud, urgent Cisco updates and a review of network management processes today become a business survival task. Partnering with cloud and DevOps integrators, such as Alashed IT, can play a key role in navigating this period of heightened risk without major incidents.
Часто задаваемые вопросы
What is CVE-2026-20182 in Cisco SD-WAN and why is it dangerous?
CVE-2026-20182 is a critical authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller with a CVSSv3 rating of 10.0. Its exploitation allows an attacker to gain privileged access to internal accounts on the controller without proper login and password. This allows them to change routing, VPN tunnels, and security policies across the entire SD-WAN fabric, including connections to AWS, Azure, and Google Cloud. According to F5 Labs, this vulnerability has been exploited as a zero-day since at least 2023, making it particularly dangerous.
When does a business need to update Cisco SD-WAN due to new vulnerabilities?
Updating Cisco SD-WAN in connection with CVE-2026-20182, CVE-2026-20127, and related vulnerabilities should be done within days, not weeks. The regulator CISA has already issued Emergency Directive 26-03 with a remediation deadline of May 17 for federal entities, demonstrating the criticality of the situation. In a corporate environment, it is advisable to plan the update of all SD-WAN controllers and managers within 7-14 days at most, prioritizing instances directly connected to clouds and critical services. A delay of more than a month significantly increases the likelihood of a successful attack.
What risks do vulnerable SD-WAN pose to Kubernetes and DevOps pipelines?
Compromising the SD-WAN controller allows an attacker to redirect traffic to Kubernetes clusters, Git servers, and CI/CD agents, as well as embed their proxies in the network scheme. This creates a risk of container image substitution, embedding malicious code in GitLab CI or GitHub Actions pipelines, and stealing secrets (AWS, Azure, Google Cloud keys, Kubernetes tokens). As a result, the DevOps infrastructure, including production clusters, can be compromised without hacking individual servers or accounts. For the business, this means the likelihood of service downtime and data breaches with losses amounting to millions of tenge.
How long does the full remediation cycle for Cisco SD-WAN in a large company take?
The full remediation cycle usually includes inventory, planning, testing, and installing patches and takes 7 to 30 days in a large company. Express audit and identification of all vulnerable SD-WAN instances can be completed in 2-3 days with up-to-date infrastructure documentation and CMDB. Testing updates on a test bench takes another 2-5 days, followed by phased updating of production controllers and devices, taking into account maintenance windows, which can stretch over 1-2 weeks. Engaging external specialists, such as Alashed IT, often reduces this period by about 30-40 percent due to proven methodologies and automation.
How can a business in Kazakhstan save on SD-WAN and cloud protection without losing security?
The optimal strategy is to combine public clouds (AWS, Azure, Google Cloud) with managed security services instead of building everything on-premises. This allows you to pay for usage on an OPEX model and reduce capital expenditures on equipment and staff. Outsourcing SD-WAN, Kubernetes, and security monitoring to companies like Alashed IT reduces the need for maintaining rare specialists within the company and increases the speed of response to new CVEs. At the same time, it is important to maintain internal architectural-level competency and clear SLAs to flexibly manage costs and stay within budget.
Читайте также
- Облако и DevOps 2026: новая волна мульти‑cloud и сертификаций
- Kubernetes автоскейлинг требует новой observability в 2026 году
- NGINX Rift: критическая уязвимость бьет по Kubernetes и облакам
