Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in CrowdStrike LogScale
Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
LogScale Detection Query
// CVE-2022-20775 — Cisco SD-WAN Path Traversal
#event_simpleName IN (NetworkConnectIP4, ProcessRollup2, DnsRequest)
| filter
(
// Network: traversal in URI
(event_simpleName = "NetworkConnectIP4" AND
RemoteAddressIP4 != null AND
(HttpUri = ~"*../*" OR HttpUri = ~"*%2e%2e%2f*" OR HttpUri = ~"*%252e%252e*") AND
(HttpUri = ~"*/dataservice/*" OR HttpUri = ~"*/template/*" OR HttpUri = ~"*/device/*"))
OR
// Process: SD-WAN daemon spawns shell
(event_simpleName = "ProcessRollup2" AND
ParentImageFileName IN~ ("vdaemon", "vmanage", "vbond", "vsmart") AND
ImageFileName IN~ ("sh", "bash", "python", "python3", "curl", "wget", "nc"))
)
| eval ThreatLabel = "CVE-2022-20775 Cisco SD-WAN Path Traversal"
| select timestamp, ComputerName, UserName, ImageFileName, ParentImageFileName, CommandLine, HttpUri, RemoteAddressIP4, ThreatLabelCrowdStrike Falcon Query Language rule detecting path traversal URI patterns in SD-WAN HTTP connections and suspicious subprocess execution chains originating from Cisco SD-WAN daemons.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor telemetry from authorized pen-test operations against SD-WAN endpoints
- Legitimate SD-WAN automation invoking python scripts for policy deployment
- Network monitoring tools connecting to vManage REST APIs with non-standard URL encoding
Other platforms for CVE-2022-20775
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco SD-WAN vManage Path Traversal File Read via API
Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process
- Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass
Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs
- Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write
Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/
- Test 4Simulate SD-WAN Daemon Spawning Reverse Shell
Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-20775
Unlock Pro Content
Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.