Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in Splunk
Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
SPL Detection Query
index=network OR index=syslog OR index=cisco_sdwan
| eval combined_field = coalesce(uri_path, request_uri, url, file_path, process_name)
| where (
(sourcetype IN ("cisco:sdwan", "cisco:ios", "pan:traffic", "nginx:access") AND
match(combined_field, "(\.\./|%2e%2e%2f|%252e%252e|\.\.%2f|%2e%2e/)") AND
match(combined_field, "(/dataservice/|/template/|/device/|/vmanage)"))
OR
(sourcetype="linux:syslog" AND
match(process, "(vdaemon|vmanage|vbond|vsmart)") AND
match(command, "(bash|sh|python|curl|wget|nc\b)"))
OR
(sourcetype="linux:audit" AND
match(exe, "/(vdaemon|vmanage)") AND
match(name, "(/etc/passwd|/etc/shadow|/.ssh/|/root/)"))
)
| eval threat_label="CVE-2022-20775 Cisco SD-WAN Path Traversal"
| table _time, host, sourcetype, src_ip, dest_ip, uri_path, process, command, name, threat_label
| sort -_timeDetects path traversal patterns in Cisco SD-WAN API requests and suspicious process or file activity initiated by SD-WAN service processes on Linux-based appliances.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate encoding of special characters in API URLs by management automation frameworks
- Authorized penetration testing or vulnerability scanning of SD-WAN management interfaces
- SD-WAN upgrade processes that invoke shell commands as part of the installation workflow
- Monitoring agents running under SD-WAN process context that periodically read system configuration files
Other platforms for CVE-2022-20775
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco SD-WAN vManage Path Traversal File Read via API
Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process
- Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass
Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs
- Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write
Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/
- Test 4Simulate SD-WAN Daemon Spawning Reverse Shell
Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-sd-wan-priv-E6e8tEdF.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-20775
Unlock Pro Content
Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.