Skip to content

Add vpatch rules for CVE-2026-20127 (Cisco SD-WAN vManage Pre-Auth RCE)#1714

Merged
buixor merged 1 commit intomasterfrom
CVE-2026-20127
Mar 6, 2026
Merged

Add vpatch rules for CVE-2026-20127 (Cisco SD-WAN vManage Pre-Auth RCE)#1714
buixor merged 1 commit intomasterfrom
CVE-2026-20127

Conversation

@buixor
Copy link
Contributor

@buixor buixor commented Mar 6, 2026

Two rules covering the full exploit chain:

  • vpatch-CVE-2026-20127: blocks path-traversal WAR upload to /dataservice/smartLicensing/uploadAck (step 3 - direct RCE trigger)
  • vpatch-CVE-2026-20127-dca-disclosure: blocks unauthenticated access to the DCA credential file at /reports/data/.../data-collection-agent/.dca (step 1 - cred theft)

Both rules validated, linted, and live-tested via the WAF harness.

@buixor @claude
Add vpatch rules for CVE-2026-20127 (Cisco SD-WAN vManage Pre-Auth RCE)
449d162 
Two rules covering the full exploit chain:
- vpatch-CVE-2026-20127: blocks path-traversal WAR upload to
  /dataservice/smartLicensing/uploadAck (step 3 - direct RCE trigger)
- vpatch-CVE-2026-20127-dca-disclosure: blocks unauthenticated access
  to the DCA credential file at
  /reports/data/.../data-collection-agent/.dca (step 1 - cred theft)

Both rules validated, linted, and live-tested via the WAF harness.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

Hello @buixor,

✅ The new VPATCH Rule is compliant, thank you for your contribution!

@github-actions
Copy link

github-actions bot commented Mar 6, 2026

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@buixor buixor merged commit 91da961 into master Mar 6, 2026
15 of 17 checks passed
@buixor buixor deleted the CVE-2026-20127 branch March 6, 2026 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blotus blotus blotus approved these changes

@seemanne seemanne seemanne approved these changes

@AlteredCoder AlteredCoder AlteredCoder approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@buixor @blotus @seemanne @AlteredCoder