Ongoing Exploitation of Cisco Catalyst SD-WAN Vulnerabilities

    Tuesday, May 19, 2026 In: Threat Research Print

    Date: 05/19/2026

    Severity: Medium

    Summary

    Threat actors are actively exploiting multiple vulnerabilities affecting Cisco Catalyst SD-WAN products, including the authentication bypass flaw CVE-2026-20182, which allows remote attackers to gain administrative access without authentication. Additional exploitation of previously disclosed vulnerabilities has led to post-compromise activity involving webshell deployment and malicious tooling such as XenShell. The campaigns demonstrate continued targeting of unpatched SD-WAN environments for persistent access and remote control.

    Indicators of Compromise (IOC) List

    Urls/Domains

    mtls://23.27.143.170

    http://83.229.126.195:8081/xmrig

    http://83.229.126.195:8081/config.json

    https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download

    a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev

    http://13.62.52.206:5004 

    IP Address

    38.181.52.89

    89.125.244.33

    89.125.244.51

    71.80.85.135 

    212.83.162.37

    38.60.214.92

    65.20.67.134

    104.233.156.1

    194.233.100.40

    194.163.175.135

    194.163.175.135

    23.27.143.170

    83.229.126.195

    79.135.105.208

    13.62.52.206

    176.65.139.31

    47.104.248.7

    Hash

    b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3

    72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060

    17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925

    f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1

    02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8

    0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0

    96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46

    7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1

    0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d

    18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80

    d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa

    5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://83.229.126.195:8081/config.json" or url like "http://83.229.126.195:8081/config.json" or siteurl like "http://83.229.126.195:8081/config.json" or domainname like "http://83.229.126.195:8081/xmrig" or url like "http://83.229.126.195:8081/xmrig" or siteurl like "http://83.229.126.195:8081/xmrig" or domainname like "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download" or url like "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download" or siteurl like "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download" or domainname like "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" or url like "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" or siteurl like "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev" or domainname like "mtls://23.27.143.170" or siteurl like "mtls://23.27.143.170" or url like "mtls://23.27.143.170" or domainname like "http://13.62.52.206:5004" or siteurl like "http://13.62.52.206:5004" or url like "http://13.62.52.206:5004"

    Detection Query 2 :

    dstipaddress IN ("47.104.248.7","194.163.175.135","23.27.143.170","79.135.105.208","176.65.139.31","83.229.126.195","38.181.52.89","89.125.244.33","89.125.244.51","71.80.85.135","212.83.162.37","38.60.214.92","65.20.67.134","104.233.156.1","194.233.100.40","13.62.52.206") or srcipaddress IN ("47.104.248.7","194.163.175.135","23.27.143.170","79.135.105.208","176.65.139.31","83.229.126.195","38.181.52.89","89.125.244.33","89.125.244.51","71.80.85.135","212.83.162.37","38.60.214.92","65.20.67.134","104.233.156.1","194.233.100.40","13.62.52.206")

    Detection Query 3 :

    sha256hash IN ("18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80","02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8","96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46","d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa","b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3","72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060","17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925","f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1","0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0","7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1","0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d","5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8")

    Reference:    

    https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/                     


    Tags

    VulnerabilityCVE-2026Exploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.