Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in IBM QRadar
CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.
MITRE ATT&CK
QRadar Detection Query
SELECT
sourceip,
destinationip,
URL,
"HTTP Response Code" AS http_status,
username,
COUNT(*) AS event_count,
MIN(starttime) AS first_seen,
MAX(starttime) AS last_seen
FROM events
WHERE
LOGSOURCETYPENAME(logsourceid) IN ('Cisco SD-WAN', 'Cisco vManage', 'Cisco IOS')
AND (
"HTTP Response Code" IN ('401', '403')
OR LOWER("Message") ILIKE '%bypass%'
OR LOWER("Message") ILIKE '%unauthenticated%'
OR LOWER("Message") ILIKE '%unauthorized%'
)
AND (
URL ILIKE '%/dataservice/%'
OR URL ILIKE '%/j_security_check%'
OR URL ILIKE '%/rest/%'
)
AND LOGSOURCENAME(logsourceid) ILIKE '%vmanage%'
AND starttime > NOW() - 3600000
GROUP BY sourceip, destinationip, URL, http_status, username
HAVING COUNT(*) >= 3
ORDER BY event_count DESCQRadar AQL query identifying repeated unauthorized or authentication-bypassing requests to Cisco vManage management API paths from a single source IP within the last hour. Grouping by source IP, URL, and HTTP status exposes automated exploit tooling characteristic of CVE-2026-20127 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- API monitoring tools that poll vManage endpoints and lack valid session cookies
- Load balancer health probes hitting authentication-protected endpoints
- Automated backup or configuration management tools with expired credentials
- Security scanner traffic from approved internal vulnerability management platforms
Other platforms for CVE-2026-20127
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated vManage REST API Enumeration
Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths
- Test 2Authentication Bypass Session Token Harvesting Simulation
Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one
- Test 3vManage Admin Account Creation via Bypass
Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20127
Unlock Pro Content
Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.