Detect Cisco Catalyst SD-WAN Manager Path Traversal Exploitation in Splunk
Detects exploitation attempts targeting CVE-2026-20262, a path traversal vulnerability (CWE-22) in Cisco Catalyst SD-WAN Manager. Active exploitation has been confirmed by CISA KEV. Attackers can traverse directory boundaries via crafted HTTP requests to access sensitive files outside the web root, potentially exposing credentials, configuration data, or enabling further compromise of the SD-WAN management plane.
MITRE ATT&CK
SPL Detection Query
index=network OR index=web sourcetype IN ("cisco:sdwan", "pan:traffic", "cisco:asa", "access_combined", "iis")
| search uri IN ("*../*", "*..%2f*", "*..%2F*", "*%2e%2e%2f*", "*%2e%2e/*", "*..%5c*", "*%2e%2e%5c*")
| rex field=uri "(?P<traversal_seq>(?:\.\./|%2e%2e[%2f/])+)(?P<target_path>[^?#]+)"
| where match(uri, "/dataservice/|/management/|/template/|/config/")
| eval sensitive_target=if(match(target_path, "etc/passwd|etc/shadow|etc/hosts|proc/|var/log|\.ssh|authorized_keys|id_rsa|credentials"), "YES", "NO")
| eval traversal_count=mvcount(split(uri, "../")) - 1
| where traversal_count >= 1
| stats count AS attempt_count, values(uri) AS traversal_uris, values(target_path) AS targeted_paths, dc(src_ip) AS unique_sources BY src_ip, dest_ip, sensitive_target
| where attempt_count >= 1
| sort - attempt_countSearches web and network logs for path traversal patterns in HTTP requests targeting Cisco SD-WAN Manager API endpoints, with enrichment for sensitive file targets and traversal depth.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated vulnerability scanners (authenticated or unauthenticated) producing traversal-like URI patterns
- SD-WAN Manager internal processes that generate non-standard URI paths during template rendering
- Load balancer health checks or monitoring agents that normalize path separators in ways resembling traversal
- Proxy servers that decode and re-encode URLs, creating apparent traversal sequences in logs
Other platforms for CVE-2026-20262
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Path Traversal File Read via SD-WAN Manager API
Expected signal: Web server access log entry with URI containing '../../../../etc/passwd', HTTP response code 200 or 400/403 depending on patch status, source IP of test host
- Test 2URL-Encoded Path Traversal Against SD-WAN Template API
Expected signal: Access log entry with raw URI containing %2e%2e%2f sequences targeting /template/ endpoint, HTTP response code logged by web server before or after URL normalization
- Test 3Double-Encoded Traversal Bypass Attempt
Expected signal: Access log entry with double-encoded URI; if the server double-decodes the URL, a subsequent audit log event showing /etc/passwd file access at the OS level
- Test 4Traversal to SD-WAN Configuration File for Credential Harvesting
Expected signal: Multiple HTTP requests in quick succession with traversal sequences targeting vmanage configuration paths; response sizes indicating file content if successful
References (4)
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-20262
Unlock Pro Content
Get the full detection package for CVE-2026-20262 including response playbook, investigation guide, and atomic red team tests.