CVE-2022-20775 Sumo Logic CSE · Sumo

Detect CVE-2022-20775 — Cisco SD-WAN Path Traversal Exploitation Attempt in Sumo Logic CSE

Detects exploitation attempts targeting CVE-2022-20775, a path traversal vulnerability (CWE-25, CWE-282) in Cisco SD-WAN software. Successful exploitation may allow an authenticated attacker to read or write arbitrary files on the underlying operating system, potentially leading to privilege escalation or persistent access. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=cisco/sdwan OR _sourceCategory=linux/syslog OR _sourceCategory=network/proxy
| parse regex "(?<traversal_hit>(?:\.\./|%2e%2e%2f|%252e%252e|\.\.%2f|%2e%2e/))" nodrop
| parse regex "(?<sdwan_path>/(?:dataservice|template|device|vmanage)[^\s]*)" nodrop
| parse regex "(?<sdwan_proc>vdaemon|vmanage|vbond|vsmart)" nodrop
| parse regex "(?<susp_cmd>\b(?:bash|sh|python3?|curl|wget|nc|ncat)\b)" nodrop
| where (traversal_hit != "" and sdwan_path != "") or (sdwan_proc != "" and susp_cmd != "")
| fields _sourcehost, _sourcecategory, traversal_hit, sdwan_path, sdwan_proc, susp_cmd, _raw
| count by _sourcehost, traversal_hit, sdwan_proc
| where _count > 0
| sort by _count desc
critical severity medium confidence

Identifies path traversal patterns in Cisco SD-WAN API traffic and suspicious command execution spawned from SD-WAN processes using Sumo Logic field parsing.

Data Sources

Cisco SD-WAN LogsLinux SyslogNetwork Proxy

Required Tables

cisco/sdwanlinux/syslognetwork/proxy

False Positives & Tuning

  • API gateway or load balancer URL normalization that retains encoded traversal-like sequences
  • Security tooling performing authorized assessments of vManage endpoints
  • Legitimate scripted configurations that spawn shells transiently for SD-WAN onboarding

Other platforms for CVE-2022-20775

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Cisco SD-WAN vManage Path Traversal File Read via API

    Expected signal: HTTP request log entry with traversal sequence in URI; if successful, HTTP 200 response with /etc/passwd content; file access audit event for /etc/passwd by vManage process

  2. Test 2Cisco SD-WAN Percent-Encoded Path Traversal Bypass

    Expected signal: HTTP access log entry with double-encoded sequence; IDS/WAF alert if deployed; server-side decode of %25 sequences visible in application logs

  3. Test 3SD-WAN Post-Exploitation SSH Key Injection via Traversal Write

    Expected signal: HTTP POST to path traversal URI; file modification event on /root/.ssh/authorized_keys; audit log entry showing vManage process writing to /root/.ssh/

  4. Test 4Simulate SD-WAN Daemon Spawning Reverse Shell

    Expected signal: Process creation event: parent=vmanage, child=bash with -i flag and TCP redirect in command line; network connection from bash process to 127.0.0.1:4444; EDR alert on shell spawned by non-interactive parent

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2022-20775 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1190Exploit Public-Facing ApplicationT1548Abuse Elevation Control MechanismT1083File and Directory DiscoveryT1552.004Private Keys

Same Tactic: Initial Access

Popular Detections