Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in Google Chronicle
CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.
MITRE ATT&CK
YARA-L Detection Query
rule cisco_sdwan_auth_bypass_cve_2026_20127 {
meta:
author = "df00tech"
description = "Detects authentication bypass attempts against Cisco Catalyst SD-WAN Controller and Manager (CVE-2026-20127)"
severity = "CRITICAL"
reference = "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
cve = "CVE-2026-20127"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.target.hostname /(?i)(vmanage|vbond|vsmart|sdwan)/
(
$e.network.http.response_code = 401 or
$e.network.http.response_code = 403 or
re.regex($e.network.http.request_url, `(?i)/(dataservice|j_security_check|rest)/`)
)
$e.principal.ip = $src_ip
match:
$src_ip over 5m
condition:
#e >= 3
}Chronicle YARA-L rule detecting repeated HTTP 401/403 responses or requests to sensitive vManage API paths from a single source IP over a 5-minute window. This pattern is indicative of authentication bypass probing or exploitation of CVE-2026-20127.
Data Sources
Required Tables
False Positives & Tuning
- Automated SD-WAN telemetry collectors that lose session tokens and retry without re-authenticating
- Network scanning tools during authorized vulnerability assessment windows
- Misconfigured API gateways forwarding unauthenticated requests to vManage backend
- Clustered vManage nodes performing internal health checks without full authentication context
Other platforms for CVE-2026-20127
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated vManage REST API Enumeration
Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths
- Test 2Authentication Bypass Session Token Harvesting Simulation
Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one
- Test 3vManage Admin Account Creation via Bypass
Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20127
Unlock Pro Content
Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.