UAT-8616
A threat actor active since at least 2023 that exploits Cisco SD-WAN vulnerabilities using Operational Relay Box infrastructure that overlaps with Flax Typhoon and Integrity Technology Group networks.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Six Cisco SD-WAN CVEs in 2026; is UAT-8616 inside most enterprise network management planes?
Timeline for UAT-8616
Exploited CVE-2026-20182, injected SSH keys, manipulated NETCONF configuration, created accounts, and cleared logs
Cybersecurity: Threats and Defences: UAT-8616 keeps Cisco SD-WAN under fire- Who is UAT-8616 and what are they attacking?
- UAT-8616 is a China-linked threat cluster (attributed via infrastructure overlap with Integrity Technology Group and Flax Typhoon) that has been exploiting Cisco SD-WAN vulnerabilities since at least 2023. In May 2026 it was confirmed exploiting a CVSS 10.0 authentication bypass (CVE-2026-20182) to gain persistent access to enterprise and government SD-WAN management planes.Source: CISA / Cisco Talos
- Is UAT-8616 connected to China's state hacking groups?
- UAT-8616's Operational Relay Box infrastructure overlaps with networks operated by Integrity Technology Group, a Beijing firm sanctioned by the US in December 2025, and Flax Typhoon, named in a sixteen-agency advisory in April 2026. Formal PLA or MSS attribution has not been issued; the link is via shared proxy infrastructure.Source: CISA
- How does the Cisco SD-WAN CVE-2026-20182 flaw work?
- CVE-2026-20182 is an authentication bypass in Cisco Catalyst SD-WAN's vdaemon service over DTLS port 12346. A peer can claim to be a vHub device without valid certificate verification, gaining authenticated status and access to the management plane without credentials.Source: CISA / Help Net Security
- Why has Cisco SD-WAN been attacked six times in 2026?
- SD-WAN Manager controls traffic routing, encryption keys, and access policy across an entire network overlay, making it a high-leverage target. Once inside, an attacker controls the entire SD-WAN estate. CISA has logged six distinct SD-WAN CVEs from Cisco that were actively exploited in 2026, suggesting sustained adversary interest in the product family.Source: CISA
Background
UAT-8616 is a threat cluster active since at least 2023, confirmed by CISA and Cisco Talos as the actor exploiting CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Manager and Controller. CISA added the vulnerability to the Known Exploited Vulnerabilities catalogue on 14 May 2026 and issued Emergency Directive ED 26-03 with a three-day federal remediation window. UAT-8616's post-compromise playbook includes SSH key injection, NETCONF configuration manipulation, account creation, and log clearing to achieve persistent access to the SD-WAN management plane. The actor also chains the older CVE-2022-20775 via software-version downgrade for root escalation.
UAT-8616's Operational Relay Box infrastructure overlaps with the Flax Typhoon and Integrity Technology Group networks named in the sixteen-agency joint advisory of 23 April 2026. Integrity Technology Group, the Beijing firm sanctioned by the US Office of Foreign Assets Control in December 2025, operates the covert proxy estate that both Flax Typhoon and UAT-8616 use to launder attacker traffic. This infrastructure overlap places UAT-8616 within the same ecosystem as known state-attributed PRC-nexus actors without constituting a direct attribution to the People's Liberation Army or Ministry of State Security. CVE-2026-20182 is the sixth Cisco SD-WAN CVE catalogued and exploited in 2026, continuing a pattern of sustained adversary investment in the SD-WAN management plane.
The FIRESTARTER campaign documented on 24 April 2026 involved shared ORB infrastructure with UAT-8616 against Cisco edge appliances. Whether UAT-8616's visibility into Cisco SD-WAN, combined with UNC6780's exfiltration of Cisco AI Defense source code in the same window, represents coordination or coincidental targeting is an open question Cisco has not addressed publicly.
