OTPulse Bi-Weekly Briefing - May 18, 2026

Over the past two weeks, the most significant advisory in OTPulse's feed was a CVSS 10.0 authentication bypass in the Cisco Catalyst SD-WAN Manager and Controller, CVE-2026-20182. CISA added it to the KEV catalog on May 14 with a federal agency remediation deadline of May 17. Cisco Talos attributes active exploitation to UAT-8616, a group that has been targeting SD-WAN infrastructure since at least 2023.

The entry point is the vdaemon service on UDP port 12346 (DTLS). No credentials required. What makes this one practitioner-notable is the post-compromise concealment: UAT-8616 downgrades firmware to re-expose CVE-2022-20775, gains root that way, then restores the version number. A version check showing a current build does not confirm a clean system.

If SD-WAN isn't in your environment, the RUGGEDCOM APE1808 advisory below is still worth your attention - a PAN-OS buffer overflow on OT-hardened substation hardware, also KEV-listed.

SD-WAN controllers manage the WAN fabric connecting remote sites to central operations. For a utility or manufacturer with remote locations - pump stations, substations, assembly lines - the SD-WAN controller decides how traffic routes between those sites and the SCADA historian or DCS head-end. It occupies the same architectural position as the Moxa OnCell routers from the May 4 briefing, at a higher enterprise scale and with broader blast radius.

When UAT-8616 compromises a controller via CVE-2026-20182, they don't just own a router. They own the control plane for your WAN fabric. NETCONF lets them push changes to every site simultaneously: redirect backhaul, isolate a remote site from its historian, or modify routing so that OT segment traffic transits attacker-controlled infrastructure. That last option is relevant to environments where OT traffic runs over the SD-WAN fabric rather than a dedicated private circuit.

The version downgrade concealment step is worth understanding. CVE-2022-20775 is a known flaw Cisco patched in an earlier release cycle. UAT-8616 deliberately downgrades the firmware, exploits the older flaw to gain root, then restores the version number to the current build. If you check firmware and see a current build, that does not tell you whether a downgrade-and-restore cycle already occurred. The reliable forensic steps are log review and SSH key auditing, not version inspection.

If you are running Cisco Catalyst SD-WAN Manager or Controller:

1. Patch to the fixed version. Cisco's advisory cisco-sa-sdwan-rpa2-v69WY2SW lists the fixed releases. The federal deadline was May 17.

2. Audit for unauthorized SSH keys. UAT-8616 inserts SSH keys for persistence. Pull the authorized keys list on your SD-WAN controllers and compare against your known-good baseline. On Cisco vManage: show system ssh-authorized-keys. Remove anything unrecognized.

3. Review NETCONF session logs. Unexpected sessions outside of change windows are the indicator of active exploitation. Check connection timestamps and source IPs in your vManage logs.

4. Verify UDP 12346 (DTLS) is blocked from untrusted segments. The vdaemon service listens on this port. If it is reachable from non-SD-WAN segments or from the internet, firewall it immediately.

5. Check WAN fabric configurations for unauthorized route changes in the past 30-60 days. NETCONF-delivered changes may not appear in your standard change management workflow if the controller was accessed directly.

96% of OT security incidents originated from IT-level compromises. 60% of organizations experienced at least one incident in 2025. - TXOne Networks / Frost & Sullivan