Which SIEM platforms have a CVE-2026-20182 detection rule?

df00tech provides CVE-2026-20182 (Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182) (CVE-2026-20182)?

Detecting Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182) requires the following data sources: CommonSecurityLog, W3CIISLog, AzureNetworkAnalytics_CL, DeviceNetworkEvents, Syslog.

What severity and confidence is the CVE-2026-20182 detection?

The CVE-2026-20182 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-20182?

Common false positives for CVE-2026-20182 include: Legitimate administrative access from internal management networks on SD-WAN management ports; Automated monitoring or health-check systems polling the SD-WAN vManage API; Penetration testing or authorized red team exercises against SD-WAN infrastructure.

CVE-2026-20182

Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182)

Initial Access Privilege Escalation Defense Evasion Lateral Movement Last updated: June 19, 2026

Detects exploitation attempts of CVE-2026-20182, an authentication bypass vulnerability (CWE-287) in the Cisco Catalyst SD-WAN Controller. This KEV-listed vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized access to the SD-WAN management plane. Successful exploitation can lead to full network fabric compromise, configuration tampering, and lateral movement across SD-WAN-connected sites.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2026-20182↗ NVD

Affected Software

Vendor: Cisco
Product: Catalyst SD-WAN

Weakness (CWE)

CWE-287

Timeline

Disclosed: May 14, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182)?

Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182) (CVE-2026-20182) maps to the Initial Access and Privilege Escalation and Defense Evasion and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureNetworkAnalytics_CL, DeviceNetworkEvents, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Privilege Escalation Defense Evasion Lateral Movement

Microsoft Sentinel / Defender

kusto

let sdwan_management_ports = dynamic([443, 8443, 8080, 8888, 830]);
let suspicious_paths = dynamic(["/dataservice", "/api/", "/j_security_check", "/login", "/management"]);
union
(
  CommonSecurityLog
  | where DeviceVendor has_any ("Cisco") and DeviceProduct has_any ("SD-WAN", "vManage", "vSmart", "vBond")
  | where Activity has_any ("auth_bypass", "authentication failure", "unauthorized", "401", "403")
  | extend SourceIP = coalesce(SourceIP, DeviceAddress)
),
(
  W3CIISLog
  | where csUriStem has_any (suspicious_paths)
  | where scStatus in (200, 302) and csMethod in ("GET", "POST")
  | where csUriQuery has_any ("token=", "jwt=", "session=")
),
(
  AzureNetworkAnalytics_CL
  | where DestPort_d in (sdwan_management_ports)
  | where FlowStatus_s == "A"
  | where FlowType_s == "ExternalPublic"
),
(
  DeviceNetworkEvents
  | where RemotePort in (sdwan_management_ports)
  | where InitiatingProcessFileName in~ ("curl.exe", "python.exe", "python3", "wget", "powershell.exe")
  | where RemoteUrl has_any ("vmanage", "sdwan", "catalyst-sdwan")
)
| summarize
    EventCount = count(),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    UniqueSourceIPs = dcount(SourceIP)
  by bin(TimeGenerated, 5m), SourceIP, DestinationIP
| where EventCount > 5 or UniqueSourceIPs > 3
| extend
    Severity = "Critical",
    CVE = "CVE-2026-20182",
    Vendor = "Cisco",
    Product = "Catalyst SD-WAN"
| project TimeGenerated, SourceIP, DestinationIP, EventCount, UniqueSourceIPs, FirstSeen, LastSeen, Severity, CVE, Vendor, Product

Detects authentication bypass exploitation attempts against Cisco Catalyst SD-WAN management interfaces by correlating anomalous HTTP responses, management port access from external IPs, and authentication failures across network and endpoint telemetry.

critical severity medium confidence

Data Sources

CommonSecurityLog W3CIISLog AzureNetworkAnalytics_CL DeviceNetworkEvents Syslog

Required Tables

CommonSecurityLog W3CIISLog AzureNetworkAnalytics_CL DeviceNetworkEvents

False Positives

Legitimate administrative access from internal management networks on SD-WAN management ports
Automated monitoring or health-check systems polling the SD-WAN vManage API
Penetration testing or authorized red team exercises against SD-WAN infrastructure
Certificate renewal or automated orchestration tools accessing management APIs
Load balancer health probes targeting SD-WAN controller endpoints

Splunk

spl

index=network OR index=cisco OR index=firewall OR index=proxy
(
  (sourcetype="cisco:ios" OR sourcetype="cisco:sdwan" OR sourcetype="cisco:vmanage")
  (
    ("authentication bypass" OR "auth bypass" OR "unauthorized access" OR "CWE-287")
    OR ("vManage" AND ("401" OR "403" OR "login failed" OR "session invalid"))
    OR ("vSmart" AND ("unauthorized" OR "privilege escalation"))
    OR ("vBond" AND ("authentication" AND ("failed" OR "bypass" OR "invalid")))
  )
)
OR
(
  sourcetype="access_combined" OR sourcetype="apache:access"
  (uri_path="/dataservice*" OR uri_path="/api/*" OR uri_path="/j_security_check*")
  (status=200 OR status=302)
  NOT (src_ip="10.*" OR src_ip="172.16.*" OR src_ip="192.168.*")
)
OR
(
  sourcetype="cisco:asa" OR sourcetype="pan:traffic"
  (dest_port=443 OR dest_port=8443 OR dest_port=8080 OR dest_port=830)
  action=allowed
  (app="ssl" OR app="https")
)
| eval cve="CVE-2026-20182"
| eval vendor="Cisco"
| eval product="Catalyst SD-WAN"
| eval severity="critical"
| bucket _time span=5m
| stats
    count AS event_count,
    dc(src_ip) AS unique_src_ips,
    values(src_ip) AS source_ips,
    values(dest_ip) AS dest_ips,
    values(uri_path) AS accessed_paths,
    min(_time) AS first_seen,
    max(_time) AS last_seen
  BY _time, cve, vendor, product, severity
| where event_count > 5 OR unique_src_ips > 3
| sort -event_count

Correlates Cisco SD-WAN authentication events, management API access from external sources, and anomalous HTTP status code patterns to surface authentication bypass exploitation of CVE-2026-20182.

critical severity medium confidence

Data Sources

Cisco vManage logs Cisco IOS logs Firewall/proxy logs Web access logs

Required Sourcetypes

cisco:sdwan cisco:vmanage cisco:ios access_combined cisco:asa pan:traffic

False Positives

Legitimate SD-WAN API automation from internal orchestration platforms
Authorized SD-WAN configuration management tools triggering high event volumes
ITSM or SIEM integrations polling vManage API for telemetry collection
Vulnerability scanners or asset inventory tools probing management ports
Cloud-based SD-WAN analytics or monitoring agents with external IPs

Sumo Logic CSE

sql

_sourceCategory=cisco/sdwan OR _sourceCategory=network/firewall OR _sourceCategory=cisco/vmanage
| where _sourceCategory matches "cisco*" or _sourceCategory matches "*sdwan*" or _sourceCategory matches "*vmanage*"
| parse "*" as raw_msg nodrop
| parse field=raw_msg "src=* " as src_ip nodrop
| parse field=raw_msg "dst=* " as dst_ip nodrop
| parse field=raw_msg "dport=*" as dst_port nodrop
| parse field=raw_msg "status=*" as http_status nodrop
| parse field=raw_msg "uri=*" as uri nodrop
| where (
    (uri matches "/dataservice*" or uri matches "/api/*" or uri matches "/j_security_check*")
    or (raw_msg matches "*authentication bypass*" or raw_msg matches "*unauthorized*" or raw_msg matches "*auth failed*")
    or dst_port in ("443", "8443", "8080", "830", "8888")
  )
| where !(src_ip matches "10.*" or src_ip matches "172.16.*" or src_ip matches "172.17.*" or src_ip matches "192.168.*")
| timeslice 5m
| stats
    count as event_count,
    count_distinct(src_ip) as unique_sources,
    values(uri) as accessed_paths,
    values(http_status) as http_statuses
  by _timeslice, dst_ip
| where event_count > 10 or unique_sources > 3
| fields _timeslice, dst_ip, event_count, unique_sources, accessed_paths, http_statuses
| sort by event_count desc

Sumo Logic query detecting external authentication bypass attempts against Cisco Catalyst SD-WAN management endpoints by correlating event volume, URI patterns, and external source IPs.

critical severity medium confidence

Data Sources

Cisco SD-WAN syslogs Cisco vManage audit logs Network perimeter firewall logs

Required Tables

_sourceCategory=cisco/sdwan _sourceCategory=cisco/vmanage _sourceCategory=network/firewall

False Positives

Third-party SD-WAN management overlays or SASE platforms with external IP addresses
Legitimate API polling from cloud-hosted monitoring services
Authorized VPN or remote access solutions that egress with public IP addresses
Partner or contractor administrative access from non-RFC1918 source ranges

Google Chronicle / SecOps

yaral

rule cisco_sdwan_auth_bypass_cve_2026_20182 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects authentication bypass exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2026-20182"
    mitre_attack = "T1190, T1078, T1556"
    created = "2026-06-19"

  events:
    (
      $e1.metadata.event_type = "NETWORK_HTTP" or
      $e1.metadata.event_type = "NETWORK_CONNECTION" or
      $e1.metadata.event_type = "USER_LOGIN"
    )
    and (
      $e1.target.application = /(?i)(vmanage|vsmart|vbond|sd.wan|catalyst.sdwan)/ or
      $e1.target.port = 8443 or
      $e1.target.port = 830 or
      (
        $e1.target.port = 443 and
        (
          $e1.network.http.referral_url = /(?i)\/dataservice/ or
          $e1.network.http.referral_url = /(?i)\/j_security_check/
        )
      )
    )
    and (
      $e1.network.http.response_code = 200 or
      $e1.network.http.response_code = 302
    )
    and not net.ip_in_range_cidr($e1.principal.ip, "10.0.0.0/8")
    and not net.ip_in_range_cidr($e1.principal.ip, "172.16.0.0/12")
    and not net.ip_in_range_cidr($e1.principal.ip, "192.168.0.0/16")

  match:
    $e1.principal.ip over 5m

  outcome:
    $risk_score = max(
      if($e1.target.port = 830, 95,
      if($e1.target.port = 8443, 90, 80))
    )
    $event_count = count_distinct($e1.metadata.id)
    $target_ips = array_distinct($e1.target.ip)
    $source_ip = $e1.principal.ip

  condition:
    #e1 > 3
}

Chronicle YARA-L rule correlating external HTTP access to Cisco SD-WAN management endpoints with successful response codes, flagging authentication bypass patterns consistent with CVE-2026-20182.

critical severity high confidence

Data Sources

Chronicle network telemetry Cisco SD-WAN UDM events Firewall/proxy ingested into Chronicle

Required Tables

network_http network_connection user_login

False Positives

Authorized remote Cisco TAC sessions performing diagnostic access
SD-WAN telemetry collectors with external-facing IP addresses ingesting management data
Contracted managed security providers administering SD-WAN on behalf of the organization
Cloud-hosted ITSM or change management platforms triggering API calls

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (NetworkConnectIP4, NetworkConnectIP6, HttpRequest, ProcessRollup2)
| $targetPorts := [443, 8443, 8080, 830, 8888]
| $sdwanIndicators := ["vmanage", "vsmart", "vbond", "sdwan", "catalyst-sdwan", "/dataservice", "/j_security_check"]
| $externalRanges := ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
| case {
    #event_simpleName = "NetworkConnectIP4" |
      RemotePort IN $targetPorts
      AND NOT RemoteAddressIP4 IN CIDR($externalRanges)
      AND (
        HttpUrl LIKE "%dataservice%"
        OR HttpUrl LIKE "%j_security_check%"
        OR HttpUrl LIKE "%vmanage%"
      ) ;
    #event_simpleName = "ProcessRollup2" |
      FileName IN ["curl", "wget", "python3", "python", "ruby", "go"]
      AND CommandLine LIKE "%sdwan%"
      OR CommandLine LIKE "%vmanage%"
      OR CommandLine LIKE "%dataservice%" ;
    true | false
  }
| groupBy(
    [aid, ComputerName, UserName, RemoteAddressIP4, RemotePort, HttpUrl],
    function=[
      count(#event_simpleName, as=event_count),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| where event_count > 5
| eval cve="CVE-2026-20182"
| eval vendor="Cisco"
| eval product="Catalyst SD-WAN"
| eval severity="critical"
| sort -event_count
| limit 200

CrowdStrike LogScale/Falcon query correlating network connections and process executions indicative of authentication bypass attempts against Cisco Catalyst SD-WAN management interfaces from endpoints in the environment.

critical severity medium confidence

Data Sources

CrowdStrike Falcon network events CrowdStrike process telemetry HTTP request events

Required Tables

NetworkConnectIP4 NetworkConnectIP6 HttpRequest ProcessRollup2

False Positives

Security tools on endpoints making API calls to SD-WAN for monitoring purposes
Developers or network engineers using curl/python scripts for SD-WAN automation from managed endpoints
Authorized penetration testing from enrolled endpoints
Ansible or Terraform-based network automation tools installed on managed hosts

Sigma rule & cross-platform mapping

The detection logic for Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182) (CVE-2026-20182) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-20182 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-20182

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Unauthenticated vManage API Endpoint Enumeration
Expected signal: HTTP GET requests to vManage management port (8443) targeting /dataservice/* and /j_security_check endpoints from the test host IP, captured in vManage access logs and network firewall logs. Response codes of 200 or 401/403 depending on vulnerability state.
Test 2Authentication Bypass Session Token Forge Attempt
Expected signal: POST requests to /j_security_check and GET requests to /dataservice/* with anomalous Authorization headers or malformed JSESSIONID cookies visible in vManage access logs, web proxy logs, and network PCAP. HTTP response codes of 200, 302, 401, or 403 depending on patch state.
Test 3Post-Exploitation SD-WAN Configuration Exfiltration Simulation
Expected signal: Sequential GET requests to /dataservice/device, /dataservice/template/device, and /dataservice/system/device/controllers within a short time window, all using the same session cookie. Requests captured in vManage audit log as API access events and in network logs as HTTPS traffic to management port.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-20182 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0004Privilege Escalation TA0005Defense Evasion TA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing Application T1078Valid Accounts T1556Modify Authentication Process T1021.007Cloud Services

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-20182

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox