UAT-8616
A threat actor active since at least 2023 that exploits Cisco SD-WAN vulnerabilities using Operational Relay Box infrastructure that overlaps with Flax Typhoon and Integrity Technology Group networks.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Six Cisco SD-WAN CVEs in 2026; is UAT-8616 inside most enterprise network management planes?
Timeline for UAT-8616
Mentioned in: Cisco tops a five-vendor KEV batch
Cybersecurity: Threats and DefencesMentioned in: Triple CVSS-10 Ubiquiti chain hits root
Cybersecurity: Threats and DefencesExploited CVE-2026-20182, injected SSH keys, manipulated NETCONF configuration, created accounts, and cleared logs
Cybersecurity: Threats and Defences: UAT-8616 keeps Cisco SD-WAN under fireWho is UAT-8616 and what are they attacking?
Is UAT-8616 connected to China's state hacking groups?
How does the Cisco SD-WAN CVE-2026-20182 flaw work?
Background
UAT-8616 is a threat cluster active since at least 2023, confirmed by CISA and Cisco Talos as the actor exploiting CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Manager and Controller. CISA added the vulnerability to the Known Exploited Vulnerabilities catalogue on 14 May 2026 and issued Emergency Directive ED 26-03 with a three-day federal remediation window. UAT-8616's post-compromise playbook includes SSH key injection, NETCONF configuration manipulation, account creation, and log clearing to achieve persistent access to the SD-WAN management plane. The actor also chains the older CVE-2022-20775 via software-version downgrade for root escalation.
UAT-8616's Operational Relay Box infrastructure overlaps with the Flax Typhoon and Integrity Technology Group networks named in the sixteen-agency joint advisory of 23 April 2026. Integrity Technology Group, the Beijing firm sanctioned by the US Office of Foreign Assets Control in December 2025, operates the covert proxy estate that both Flax Typhoon and UAT-8616 use to launder attacker traffic. This infrastructure overlap places UAT-8616 within the same ecosystem as known state-attributed PRC-nexus actors without constituting a direct attribution to the People's Liberation Army or Ministry of State Security. CVE-2026-20182 is the sixth Cisco SD-WAN CVE catalogued and exploited in 2026, continuing a pattern of sustained adversary investment in the SD-WAN management plane.
The FIRESTARTER campaign documented on 24 April 2026 involved shared ORB infrastructure with UAT-8616 against Cisco edge appliances. Whether UAT-8616's visibility into Cisco SD-WAN, combined with UNC6780's exfiltration of Cisco AI Defense source code in the same window, represents coordination or coincidental targeting is an open question Cisco has not addressed publicly.