Detect Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20182) in IBM QRadar
Detects exploitation attempts of CVE-2026-20182, an authentication bypass vulnerability (CWE-287) in the Cisco Catalyst SD-WAN Controller. This KEV-listed vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized access to the SD-WAN management plane. Successful exploitation can lead to full network fabric compromise, configuration tampering, and lateral movement across SD-WAN-connected sites.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
QIDNAME(qid) AS event_name,
category,
logsourcename(logsourceid) AS log_source,
magnitude,
COUNT(*) OVER (PARTITION BY sourceip ORDER BY starttime ROWS BETWEEN 299 PRECEDING AND CURRENT ROW) AS events_last_5min
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%cisco%'
AND (
(
LOGSOURCETYPENAME(devicetype) ILIKE '%sd-wan%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%vmanage%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%catalyst%'
)
OR (
destinationport IN (443, 8443, 8080, 830, 8888)
AND (
UTF8(payload) ILIKE '%/dataservice%'
OR UTF8(payload) ILIKE '%/j_security_check%'
OR UTF8(payload) ILIKE '%unauthorized%'
OR UTF8(payload) ILIKE '%auth bypass%'
OR UTF8(payload) ILIKE '%authentication failure%'
)
)
)
AND NOT INCIDR(sourceip, '10.0.0.0/8')
AND NOT INCIDR(sourceip, '172.16.0.0/12')
AND NOT INCIDR(sourceip, '192.168.0.0/16')
AND starttime > NOW() - 3600000
ORDER BY starttime DESC
LIMIT 1000AQL query against QRadar event pipeline targeting Cisco SD-WAN log sources for authentication anomalies, external management plane access, and bypass indicators consistent with CVE-2026-20182 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Authorized external management access from documented administrator IPs
- Cisco TAC remote access sessions during support engagements
- SD-WAN monitoring platforms hosted outside the corporate network range
- CI/CD pipeline automation interacting with SD-WAN APIs from cloud egress IPs
Other platforms for CVE-2026-20182
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated vManage API Endpoint Enumeration
Expected signal: HTTP GET requests to vManage management port (8443) targeting /dataservice/* and /j_security_check endpoints from the test host IP, captured in vManage access logs and network firewall logs. Response codes of 200 or 401/403 depending on vulnerability state.
- Test 2Authentication Bypass Session Token Forge Attempt
Expected signal: POST requests to /j_security_check and GET requests to /dataservice/* with anomalous Authorization headers or malformed JSESSIONID cookies visible in vManage access logs, web proxy logs, and network PCAP. HTTP response codes of 200, 302, 401, or 403 depending on patch state.
- Test 3Post-Exploitation SD-WAN Configuration Exfiltration Simulation
Expected signal: Sequential GET requests to /dataservice/device, /dataservice/template/device, and /dataservice/system/device/controllers within a short time window, all using the same session cookie. Requests captured in vManage audit log as API access events and in network logs as HTTPS traffic to management port.
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
- https://nvd.nist.gov/vuln/detail/CVE-2026-20182
Unlock Pro Content
Get the full detection package for CVE-2026-20182 including response playbook, investigation guide, and atomic red team tests.