Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in Microsoft Sentinel
Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
KQL Detection Query
union DeviceNetworkEvents, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(7d)
| where
(
// Network: inbound requests to vManage or vBond API endpoints with traversal sequences
(ActionType in ('ConnectionSuccess', 'HttpRequestReceived') and
RemoteUrl has_any ('../', '..\\', '%2e%2e%2f', '%2e%2e/', '..%2f', '%252e%252e') and
RemoteUrl has_any ('/dataservice/', '/template/', '/device/'))
or
// Process: suspicious child processes spawned from SD-WAN daemons
(InitiatingProcessFileName in~ ('vdaemon', 'vmanage', 'vbond', 'vsmart') and
FileName in~ ('sh', 'bash', 'python', 'python3', 'curl', 'wget', 'nc', 'ncat'))
or
// File: access to sensitive files via path traversal from SD-WAN context
(InitiatingProcessFileName in~ ('vdaemon', 'vmanage') and
FolderPath has_any ('/etc/passwd', '/etc/shadow', '/root/', '/home/', '/.ssh/'))
)
| extend ThreatContext = 'CVE-2022-20775 Cisco SD-WAN Path Traversal'
| project TimeGenerated, DeviceName, ActionType, RemoteUrl, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ThreatContextDetects path traversal sequences in network requests to Cisco SD-WAN management APIs, suspicious process spawning from SD-WAN daemons, and unauthorized file access to sensitive OS paths initiated by SD-WAN processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative scripts that access SD-WAN APIs using encoded path characters for valid configuration management
- Automated backup or compliance tooling that reads system files while running under SD-WAN service accounts
- Security scanners or vulnerability assessment tools performing authorized testing of SD-WAN infrastructure
- SD-WAN software updates or migrations that temporarily spawn shell processes for installer scripts
Other platforms for CVE-2022-20775
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco SD-WAN vManage Path Traversal File Read via API
Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process
- Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass
Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs
- Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write
Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/
- Test 4Simulate SD-WAN Daemon Spawning Reverse Shell
Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-20775
Unlock Pro Content
Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.