Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in Microsoft Sentinel
CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.
MITRE ATT&CK
KQL Detection Query
union CommonSecurityLog, DeviceNetworkEvents
| where TimeGenerated >= ago(7d)
| where (DeviceProduct has_any ("SD-WAN", "vManage", "vBond", "vSmart") or ProcessName has_any ("vmanage", "vbond", "vsmart"))
| where (Activity has_any ("authentication bypass", "unauthenticated", "unauthorized") or Message has_any ("auth_bypass", "no_auth", "bypass", "401", "403") or (EventID in (4625, 4648, 4624) and LogonType == 3))
| extend SourceIPAddress = coalesce(SourceIP, RemoteIP)
| summarize AttemptCount = count(), DistinctURIs = dcount(RequestURL), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIPAddress, DestinationIP, bin(TimeGenerated, 5m)
| where AttemptCount >= 3
| extend Severity = iif(AttemptCount >= 10, "Critical", "High")
| project TimeGenerated, SourceIPAddress, DestinationIP, AttemptCount, DistinctURIs, FirstSeen, LastSeen, SeverityDetects authentication bypass attempts against Cisco Catalyst SD-WAN Controller (vManage) and Manager by correlating repeated unauthorized access attempts from a single source, anomalous access to management APIs without valid session tokens, and unusual HTTP response patterns consistent with CVE-2026-20127 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate security scanners or vulnerability assessment tools targeting SD-WAN management interfaces
- Misconfigured monitoring agents repeatedly polling vManage API endpoints without valid credentials
- Network troubleshooting sessions by administrators using non-standard authentication flows
- Load balancer health checks generating unauthenticated probes to vManage endpoints
Other platforms for CVE-2026-20127
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated vManage REST API Enumeration
Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths
- Test 2Authentication Bypass Session Token Harvesting Simulation
Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one
- Test 3vManage Admin Account Creation via Bypass
Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20127
Unlock Pro Content
Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.