CVE-2022-20775 Elastic Security · Elastic

Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in Elastic Security

Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [network where
    event.type == "connection" and
    (url.path : ("*../*", "*%2e%2e%2f*", "*%252e%252e*", "*..%2f*") and
     url.path : ("*/dataservice/*", "*/template/*", "*/device/*"))
  ] by source.ip
  [process where
    event.type == "start" and
    process.parent.name : ("vdaemon", "vmanage", "vbond", "vsmart") and
    process.name : ("sh", "bash", "python*", "curl", "wget", "nc")
  ] by host.ip
critical severity high confidence

Correlates inbound path traversal requests to SD-WAN management APIs with subsequent suspicious process spawning from SD-WAN parent processes on the same host within a 5-minute window.

Data Sources

Elastic Endpoint SecurityNetwork Packet CaptureSyslog

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*

False Positives & Tuning

  • Automated provisioning systems that send encoded API requests followed by expected shell-based post-configuration tasks
  • Security orchestration tools that test SD-WAN endpoints and trigger diagnostic scripts
  • Legitimate SD-WAN HA failover processes that spawn shell commands after receiving network signals

Other platforms for CVE-2022-20775

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cisco SD-WAN vManage Path Traversal File Read via API

    Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process

  2. Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass

    Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs

  3. Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write

    Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/

  4. Test 4Simulate SD-WAN Daemon Spawning Reverse Shell

    Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1548Abuse Elevation Control MechanismT1083File and Directory DiscoveryT1552.004Private Keys

Same Tactic: Initial Access

Popular Detections