CVE-2026-20127 Elastic Security · Elastic

Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in Elastic Security

CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.

MITRE ATT&CK

Tactic
Initial Access Persistence Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=2m
  [network where host.name : ("vmanage*", "vbond*", "vsmart*") and
   http.response.status_code in (401, 403) and
   http.request.method in ("GET", "POST") and
   url.path : ("/dataservice/*", "/j_security_check", "/rest/*")]
  [network where host.name : ("vmanage*", "vbond*", "vsmart*") and
   http.response.status_code == 200 and
   url.path : ("/dataservice/*", "/rest/*") and
   not (user.name : ("admin", "svc-*"))]
critical severity high confidence

EQL sequence rule detecting a failed authentication attempt immediately followed by a successful HTTP 200 response to SD-WAN management API paths from the same source IP within two minutes — a pattern consistent with authentication bypass exploitation of CVE-2026-20127.

Data Sources

Elastic Agent Network EventsFilebeat HTTP LogsPacketbeat

Required Tables

logs-network.*logs-cisco.sdwan*packetbeat-*

False Positives & Tuning

  • Legitimate API clients that retry after receiving a 401 with refreshed credentials
  • Reverse proxy infrastructure that may rewrite response codes before logging
  • Authorized red team exercises targeting SD-WAN management APIs
  • Cached session expiry causing a single 401 then immediate re-auth to the same endpoint

Other platforms for CVE-2026-20127

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated vManage REST API Enumeration

    Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths

  2. Test 2Authentication Bypass Session Token Harvesting Simulation

    Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one

  3. Test 3vManage Admin Account Creation via Bypass

    Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections