CVE-2026-20127 CrowdStrike LogScale · LogScale

Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in CrowdStrike LogScale

CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.

MITRE ATT&CK

Tactic
Initial Access Persistence Credential Access

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| LocalAddressIP4 = /^(?:10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| (RemotePort in (443, 8443, 8080, 8888) OR RemotePort = 443)
| (HttpPath = /\/(?:dataservice|j_security_check|rest)\// OR HttpStatusCode in ("401", "403"))
| HostnameField = /(?i)(vmanage|vbond|vsmart|sdwan)/
| groupBy([RemoteAddressIP4, HostnameField, HttpPath], function=[count(aid, as=attempt_count), min(timestamp, as=first_seen), max(timestamp, as=last_seen), collect(HttpStatusCode, as=status_codes)])
| where attempt_count >= 3
| sort(attempt_count, order=desc)
critical severity medium confidence

CrowdStrike Falcon LogScale CQL query identifying repeated network connections from internal sources to Cisco SD-WAN management hosts on common management ports, filtering for authentication failure response codes and sensitive API paths consistent with CVE-2026-20127 exploitation attempts.

Data Sources

CrowdStrike Falcon Network EventsHTTP Request LogsDNS Events

Required Tables

NetworkConnectIP4HttpRequest

False Positives & Tuning

  • Falcon sensor telemetry from hosts with expired SD-WAN management credentials
  • Automated infrastructure-as-code pipelines calling vManage APIs without refreshed tokens
  • Authorized penetration testing activity against SD-WAN management interfaces
  • Internal monitoring dashboards polling vManage health endpoints unauthenticated

Other platforms for CVE-2026-20127

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated vManage REST API Enumeration

    Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths

  2. Test 2Authentication Bypass Session Token Harvesting Simulation

    Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one

  3. Test 3vManage Admin Account Creation via Bypass

    Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections