Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in Splunk
CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.
MITRE ATT&CK
SPL Detection Query
index=network OR index=cisco_sdwan OR index=syslog
(sourcetype="cisco:sdwan" OR sourcetype="cisco:vmanage" OR sourcetype="cisco:ios" OR host IN ("vmanage*", "vbond*", "vsmart*"))
| eval event_time=_time
| search (message IN ("*auth*bypass*", "*unauthenticated*", "*no.*session*", "*unauthorized*access*") OR (status IN ("401", "403", "200") AND uri IN ("/dataservice/*", "/j_security_check", "/rest/*")))
| rex field=_raw "(?<src_ip>\\b(?:[0-9]{1,3}\\.){3}[0-9]{1,3}\\b)"
| rex field=_raw "(?<http_method>GET|POST|PUT|DELETE|PATCH) (?<uri_path>\/[^\\s]+)"
| stats count AS attempt_count, dc(uri_path) AS distinct_paths, values(http_method) AS methods, min(_time) AS first_seen, max(_time) AS last_seen BY src_ip, host
| where attempt_count >= 3
| eval severity=if(attempt_count>=10, "critical", "high")
| eval cve="CVE-2026-20127"
| table _time, src_ip, host, attempt_count, distinct_paths, methods, first_seen, last_seen, severity, cveDetects exploitation attempts of CVE-2026-20127 by identifying anomalous unauthenticated or authentication-bypassing requests to Cisco SD-WAN vManage REST API endpoints (/dataservice, /j_security_check), aggregated by source IP to surface brute-force or automated exploit tooling.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated API integration scripts that lack proper session management hitting vManage endpoints
- Vulnerability scanners generating authentication probe traffic during approved scan windows
- Misconfigured SD-WAN nodes sending health-check requests without valid session tokens
- Penetration testing engagements targeting SD-WAN infrastructure with prior authorization
Other platforms for CVE-2026-20127
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated vManage REST API Enumeration
Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths
- Test 2Authentication Bypass Session Token Harvesting Simulation
Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one
- Test 3vManage Admin Account Creation via Bypass
Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20127
Unlock Pro Content
Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.