CVE-2026-20262 IBM QRadar · QRadar

Detect Cisco Catalyst SD-WAN Manager Path Traversal Exploitation in IBM QRadar

Detects exploitation attempts targeting CVE-2026-20262, a path traversal vulnerability (CWE-22) in Cisco Catalyst SD-WAN Manager. Active exploitation has been confirmed by CISA KEV. Attackers can traverse directory boundaries via crafted HTTP requests to access sensitive files outside the web root, potentially exposing credentials, configuration data, or enabling further compromise of the SD-WAN management plane.

MITRE ATT&CK

Tactic
Initial Access Discovery Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip AS "Source IP",
  destinationip AS "Destination IP",
  URL AS "Request URL",
  username AS "Username",
  "Response Code" AS response_code,
  LOGSOURCENAME(logsourceid) AS "Log Source",
  starttime AS "Event Time"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Cisco SD-WAN', 'Apache HTTP Server', 'Microsoft IIS', 'Nginx')
  AND (
    URL ILIKE '%../%'
    OR URL ILIKE '%..%2f%'
    OR URL ILIKE '%..%2F%'
    OR URL ILIKE '%25%32%65%25%32%65%'
    OR URL ILIKE '%2e%2e%2f%'
    OR URL ILIKE '%2e%2e/%'
  )
  AND (
    URL ILIKE '%/dataservice/%'
    OR URL ILIKE '%/management/%'
    OR URL ILIKE '%/template/%'
    OR URL ILIKE '%/config/%'
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query searching for path traversal patterns in HTTP request URLs destined for Cisco SD-WAN Manager API endpoints, including URL-encoded variants.

Data Sources

Cisco SD-WAN LogsWeb Server LogsQRadar Flow

Required Tables

events

False Positives & Tuning

  • QRadar vulnerability scanning modules conducting automated assessments against network infrastructure
  • Third-party SIEM integrations that normalize log data in ways that introduce encoded path sequences
  • SD-WAN Manager administrative scripts that traverse API paths programmatically

Other platforms for CVE-2026-20262

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Path Traversal File Read via SD-WAN Manager API

    Expected signal: Web server access log entry with URI containing '../../../../etc/passwd', HTTP response code 200 or 400/403 depending on patch status, source IP of test host

  2. Test 2URL-Encoded Path Traversal Against SD-WAN Template API

    Expected signal: Access log entry with raw URI containing %2e%2e%2f sequences targeting /template/ endpoint, HTTP response code logged by web server before or after URL normalization

  3. Test 3Double-Encoded Traversal Bypass Attempt

    Expected signal: Access log entry with double-encoded URI; if the server double-decodes the URL, a subsequent audit log event showing /etc/passwd file access at the OS level

  4. Test 4Traversal to SD-WAN Configuration File for Credential Harvesting

    Expected signal: Multiple HTTP requests in quick succession with traversal sequences targeting vmanage configuration paths; response sizes indicating file content if successful

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20262 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0007DiscoveryTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1133External Remote Services

Same Tactic: Initial Access

Popular Detections