Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127)

union CommonSecurityLog, DeviceNetworkEvents
| where TimeGenerated >= ago(7d)
| where (DeviceProduct has_any ("SD-WAN", "vManage", "vBond", "vSmart") or ProcessName has_any ("vmanage", "vbond", "vsmart"))
| where (Activity has_any ("authentication bypass", "unauthenticated", "unauthorized") or Message has_any ("auth_bypass", "no_auth", "bypass", "401", "403") or (EventID in (4625, 4648, 4624) and LogonType == 3))
| extend SourceIPAddress = coalesce(SourceIP, RemoteIP)
| summarize AttemptCount = count(), DistinctURIs = dcount(RequestURL), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIPAddress, DestinationIP, bin(TimeGenerated, 5m)
| where AttemptCount >= 3
| extend Severity = iif(AttemptCount >= 10, "Critical", "High")
| project TimeGenerated, SourceIPAddress, DestinationIP, AttemptCount, DistinctURIs, FirstSeen, LastSeen, Severity

index=network OR index=cisco_sdwan OR index=syslog
(sourcetype="cisco:sdwan" OR sourcetype="cisco:vmanage" OR sourcetype="cisco:ios" OR host IN ("vmanage*", "vbond*", "vsmart*"))
| eval event_time=_time
| search (message IN ("*auth*bypass*", "*unauthenticated*", "*no.*session*", "*unauthorized*access*") OR (status IN ("401", "403", "200") AND uri IN ("/dataservice/*", "/j_security_check", "/rest/*")))
| rex field=_raw "(?<src_ip>\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b)"
| rex field=_raw "(?<http_method>GET|POST|PUT|DELETE|PATCH) (?<uri_path>\/[^\\s]+)"
| stats count AS attempt_count, dc(uri_path) AS distinct_paths, values(http_method) AS methods, min(_time) AS first_seen, max(_time) AS last_seen BY src_ip, host
| where attempt_count >= 3
| eval severity=if(attempt_count>=10, "critical", "high")
| eval cve="CVE-2026-20127"
| table _time, src_ip, host, attempt_count, distinct_paths, methods, first_seen, last_seen, severity, cve

sequence by source.ip with maxspan=2m
  [network where host.name : ("vmanage*", "vbond*", "vsmart*") and
   http.response.status_code in (401, 403) and
   http.request.method in ("GET", "POST") and
   url.path : ("/dataservice/*", "/j_security_check", "/rest/*")]
  [network where host.name : ("vmanage*", "vbond*", "vsmart*") and
   http.response.status_code == 200 and
   url.path : ("/dataservice/*", "/rest/*") and
   not (user.name : ("admin", "svc-*"))]

SELECT
  sourceip,
  destinationip,
  URL,
  "HTTP Response Code" AS http_status,
  username,
  COUNT(*) AS event_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Cisco SD-WAN', 'Cisco vManage', 'Cisco IOS')
  AND (
    "HTTP Response Code" IN ('401', '403')
    OR LOWER("Message") ILIKE '%bypass%'
    OR LOWER("Message") ILIKE '%unauthenticated%'
    OR LOWER("Message") ILIKE '%unauthorized%'
  )
  AND (
    URL ILIKE '%/dataservice/%'
    OR URL ILIKE '%/j_security_check%'
    OR URL ILIKE '%/rest/%'
  )
  AND LOGSOURCENAME(logsourceid) ILIKE '%vmanage%'
  AND starttime > NOW() - 3600000
GROUP BY sourceip, destinationip, URL, http_status, username
HAVING COUNT(*) >= 3
ORDER BY event_count DESC

_sourceCategory=cisco/sdwan OR _sourceCategory=network/cisco/vmanage
| parse regex "(?<src_ip>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)" nodrop
| parse regex "(?<http_status>\b[45]\d{2}\b)" nodrop
| parse regex "(?<uri_path>/(?:dataservice|rest|j_security_check)[^\s"]*)" nodrop
| where http_status in ("401", "403") or _raw matches "*bypass*" or _raw matches "*unauthenticated*"
| where uri_path matches "*dataservice*" or uri_path matches "*j_security_check*" or uri_path matches "*rest/*"
| timeslice 5m
| stats count as attempt_count, dcount(uri_path) as distinct_paths by src_ip, _timeslice
| where attempt_count >= 3
| sort by attempt_count desc
| fields _timeslice, src_ip, attempt_count, distinct_paths

rule cisco_sdwan_auth_bypass_cve_2026_20127 {
  meta:
    author = "df00tech"
    description = "Detects authentication bypass attempts against Cisco Catalyst SD-WAN Controller and Manager (CVE-2026-20127)"
    severity = "CRITICAL"
    reference = "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
    cve = "CVE-2026-20127"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.target.hostname /(?i)(vmanage|vbond|vsmart|sdwan)/
    (
      $e.network.http.response_code = 401 or
      $e.network.http.response_code = 403 or
      re.regex($e.network.http.request_url, `(?i)/(dataservice|j_security_check|rest)/`)
    )
    $e.principal.ip = $src_ip

  match:
    $src_ip over 5m

  condition:
    #e >= 3
}

#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| LocalAddressIP4 = /^(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| (RemotePort in (443, 8443, 8080, 8888) OR RemotePort = 443)
| (HttpPath = /\/(?:dataservice|j_security_check|rest)\// OR HttpStatusCode in ("401", "403"))
| HostnameField = /(?i)(vmanage|vbond|vsmart|sdwan)/
| groupBy([RemoteAddressIP4, HostnameField, HttpPath], function=[count(aid, as=attempt_count), min(timestamp, as=first_seen), max(timestamp, as=last_seen), collect(HttpStatusCode, as=status_codes)])
| where attempt_count >= 3
| sort(attempt_count, order=desc)