Detect Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182) in Elastic Security
Detects exploitation attempts of CVE-2026-20182, an authentication bypass vulnerability (CWE-287) in the Cisco Catalyst SD-WAN Controller. This KEV-listed vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized access to the SD-WAN management plane. Successful exploitation can lead to full network fabric compromise, configuration tampering, and lateral movement across SD-WAN-connected sites.
MITRE ATT&CK
Elastic Detection Query
sequence by source.ip with maxspan=10m
[
network where
destination.port in (443, 8443, 8080, 830, 8888) and
(
destination.domain like~ "*vmanage*" or
destination.domain like~ "*sdwan*" or
destination.domain like~ "*catalyst-sdwan*" or
tags : ("cisco-sdwan", "vmanage")
) and
not source.ip : ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
]
[
network where
http.response.status_code in (200, 302) and
(
url.path like "/dataservice*" or
url.path like "/api/*" or
url.path like "/j_security_check*"
)
]
[
any where
event.action in ("authentication_success", "session_created", "login") and
tags : ("cisco-sdwan", "vmanage", "sd-wan")
]EQL sequence detection identifying the authentication bypass pattern: external connection to SD-WAN management port, followed by successful HTTP response on authenticated endpoint, followed by session establishment — without a corresponding valid credential event.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate remote administration sessions from authorized external administrators
- SD-WAN API integrations using service accounts with external-facing IPs
- VPN-terminated traffic appearing as external due to NAT configuration
- Automated backup or compliance scanning tools accessing management interfaces
Other platforms for CVE-2026-20182
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated vManage API Endpoint Enumeration
Expected signal: HTTP GET requests to vManage management port (8443) targeting /dataservice/* and /j_security_check endpoints from the test host IP, captured in vManage access logs and network firewall logs. Response codes of 200 or 401/403 depending on vulnerability state.
- Test 2Authentication Bypass Session Token Forge Attempt
Expected signal: POST requests to /j_security_check and GET requests to /dataservice/* with anomalous Authorization headers or malformed JSESSIONID cookies visible in vManage access logs, web proxy logs, and network PCAP. HTTP response codes of 200, 302, 401, or 403 depending on patch state.
- Test 3Post-Exploitation SD-WAN Configuration Exfiltration Simulation
Expected signal: Sequential GET requests to /dataservice/device, /dataservice/template/device, and /dataservice/system/device/controllers within a short time window, all using the same session cookie. Requests captured in vManage audit log as API access events and in network logs as HTTPS traffic to management port.
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- https://nvd.nist.gov/vuln/detail/CVE-2026-20182
Unlock Pro Content
Get the full detection package for CVE-2026-20182 including response playbook, investigation guide, and atomic red team tests.