CVE-2026-20127 Sumo Logic CSE · Sumo

Detect Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass (CVE-2026-20127) in Sumo Logic CSE

CVE-2026-20127 is an authentication bypass vulnerability (CWE-287) affecting Cisco Catalyst SD-WAN Controller and Manager. A remote, unauthenticated attacker may exploit improper authentication mechanisms to gain unauthorized access to the management plane. This vulnerability is actively exploited in the wild per CISA KEV and is subject to Emergency Directive ED-26-03.

MITRE ATT&CK

Tactic
Initial Access Persistence Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=cisco/sdwan OR _sourceCategory=network/cisco/vmanage
| parse regex "(?<src_ip>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)" nodrop
| parse regex "(?<http_status>\b[45]\d{2}\b)" nodrop
| parse regex "(?<uri_path>/(?:dataservice|rest|j_security_check)[^\s"]*)" nodrop
| where http_status in ("401", "403") or _raw matches "*bypass*" or _raw matches "*unauthenticated*"
| where uri_path matches "*dataservice*" or uri_path matches "*j_security_check*" or uri_path matches "*rest/*"
| timeslice 5m
| stats count as attempt_count, dcount(uri_path) as distinct_paths by src_ip, _timeslice
| where attempt_count >= 3
| sort by attempt_count desc
| fields _timeslice, src_ip, attempt_count, distinct_paths
critical severity medium confidence

Sumo Logic query detecting repeated authentication failure or bypass patterns against Cisco vManage SD-WAN management API endpoints. Aggregates by source IP in 5-minute windows to surface burst exploitation patterns consistent with CVE-2026-20127.

Data Sources

Cisco SD-WAN LogsSyslogHTTP Access Logs

Required Tables

cisco/sdwannetwork/cisco/vmanage

False Positives & Tuning

  • Legitimate API orchestration tools with expired or missing OAuth tokens hitting vManage
  • Network monitoring solutions probing SD-WAN controller availability endpoints
  • Automated configuration compliance checks without valid authentication context
  • Misconfigured SD-WAN overlay nodes sending unauthenticated keepalive messages

Other platforms for CVE-2026-20127

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated vManage REST API Enumeration

    Expected signal: Network logs showing repeated HTTP GET/POST requests to vManage management IP on port 443 with response codes 401, 403, or 200 from the test host IP across multiple /dataservice/ URI paths

  2. Test 2Authentication Bypass Session Token Harvesting Simulation

    Expected signal: HTTP request to /dataservice/device with custom Cookie header not matching any active session, logged in vManage access log with source IP of test host; response will be 401 or 403 in a patched system, or 200 in a vulnerable one

  3. Test 3vManage Admin Account Creation via Bypass

    Expected signal: vManage audit log entry for POST /dataservice/admin/user with actor IP matching test host; new user 'testbackdoor' visible in GET /dataservice/admin/user response; network logs showing POST request to admin/user endpoint

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20127 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections