CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt
Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Cisco
- Product
- SD-WAN
Timeline
- Disclosed
- February 25, 2026
References & Proof of Concept
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-20775
CVSS
What is CVE-2022-20775 CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt?
CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt (CVE-2022-20775) maps to the Initial Access and Privilege Escalation and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel Network Logs, Azure Monitor. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(7d)
| where
(
// Network: inbound requests to vManage or vBond API endpoints with traversal sequences
(ActionType in ('ConnectionSuccess', 'HttpRequestReceived') and
RemoteUrl has_any ('../', '..\\', '%2e%2e%2f', '%2e%2e/', '..%2f', '%252e%252e') and
RemoteUrl has_any ('/dataservice/', '/template/', '/device/'))
or
// Process: suspicious child processes spawned from SD-WAN daemons
(InitiatingProcessFileName in~ ('vdaemon', 'vmanage', 'vbond', 'vsmart') and
FileName in~ ('sh', 'bash', 'python', 'python3', 'curl', 'wget', 'nc', 'ncat'))
or
// File: access to sensitive files via path traversal from SD-WAN context
(InitiatingProcessFileName in~ ('vdaemon', 'vmanage') and
FolderPath has_any ('/etc/passwd', '/etc/shadow', '/root/', '/home/', '/.ssh/'))
)
| extend ThreatContext = 'CVE-2022-20775 Cisco SD-WAN Path Traversal'
| project TimeGenerated, DeviceName, ActionType, RemoteUrl, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ThreatContextDetects path traversal sequences in network requests to Cisco SD-WAN management APIs, suspicious process spawning from SD-WAN daemons, and unauthorized file access to sensitive OS paths initiated by SD-WAN processes.
Data Sources
Required Tables
False Positives
- Legitimate administrative scripts that access SD-WAN APIs using encoded path characters for valid configuration management
- Automated backup or compliance tooling that reads system files while running under SD-WAN service accounts
- Security scanners or vulnerability assessment tools performing authorized testing of SD-WAN infrastructure
- SD-WAN software updates or migrations that temporarily spawn shell processes for installer scripts
Sigma rule & cross-platform mapping
The detection logic for CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt (CVE-2022-20775) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2022-20775
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-20775
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco SD-WAN vManage Path Traversal File Read via API
Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process
- Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass
Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs
- Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write
Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/
- Test 4Simulate SD-WAN Daemon Spawning Reverse Shell
Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent
Unlock Pro Content
Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.