CVE-2022-20775 IBM QRadar · QRadar

Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in IBM QRadar

Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  URL,
  "Process Name",
  username,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  (
    (
      (URL ILIKE '%../%' OR URL ILIKE '%..\\%' OR URL ILIKE '%2e%2e%2f%' OR URL ILIKE '%252e%252e%' OR URL ILIKE '%..%2f%')
      AND (URL ILIKE '%/dataservice/%' OR URL ILIKE '%/template/%' OR URL ILIKE '%/device/%' OR URL ILIKE '%/vmanage%')
    )
    OR
    (
      "Process Name" ILIKE '%vdaemon%' OR "Process Name" ILIKE '%vmanage%' OR "Process Name" ILIKE '%vbond%'
      AND "Command Line" MATCHES '.*\b(bash|sh|python|curl|wget|nc)\b.*'
    )
  )
  AND LOGSOURCETYPENAME(devicetype) IN ('Cisco SD-WAN', 'Linux OS', 'Apache HTTP Server')
LAST 7 DAYS
critical severity medium confidence

Queries QRadar for path traversal sequences in URL fields from SD-WAN log sources and suspicious subprocess execution patterns linked to SD-WAN daemon processes.

Data Sources

Cisco SD-WANLinux SyslogNetwork IDS

Required Tables

events

False Positives & Tuning

  • URL encoding variations used by legitimate REST API clients interacting with vManage
  • Authorized red team operations targeting SD-WAN infrastructure
  • Backup and restore procedures that temporarily invoke shell commands under vdaemon context

Other platforms for CVE-2022-20775

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cisco SD-WAN vManage Path Traversal File Read via API

    Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process

  2. Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass

    Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs

  3. Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write

    Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/

  4. Test 4Simulate SD-WAN Daemon Spawning Reverse Shell

    Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1548Abuse Elevation Control MechanismT1083File and Directory DiscoveryT1552.004Private Keys

Same Tactic: Initial Access

Popular Detections