Share
## https://sploitus.com/exploit?id=0DE3C3C9-14F7-5D6D-BF38-1355CBBBB52A
# CVE-2026‑20127 – Remote Authentication Bypass for Cisco Catalyst SD‑WAN

---

## Overview

Cisco Catalyst SD‑WAN (formerly SD‑WAN vSmart/vManage) is vulnerable to a **remote authentication bypass** that allows an unauthenticated attacker to obtain high‑privileged, non‑root access.  
The flaw is due to an incorrect implementation of the peering authentication logic, which can be exploited by sending specially crafted HTTP requests.  Once authenticated, the attacker can:

- Log in as an internal high‑privileged user.
- Access the NETCONF interface.
- Manipulate the SD‑WAN fabric configuration.

This repository contains a proof‑of‑concept **`exploit.py`** script that demonstrates how to exploit the vulnerability, upload a malicious WAR file, and execute arbitrary commands on the target.

> **Warning**: This tool is for security research and testing only.  
> Do not use it against systems you do not own or have explicit permission to test.

---

## Prerequisites

| Item | Version | Notes |
|------|---------|-------|
| Python | ≥ 3.6 | Used by `exploit.py` |
| Dependencies | `pip install -r requirements.txt` |  |

---

## How the Exploit Works

1. **Discover DCA Key**  
   The script requests the Data‑Collection Agent key from `/.dca`.  
   This key is used for authentication.

2. **Login**  
   Using the key, the script logs into the system’s JTS authentication endpoint.

3. **Upload Malicious WAR**  
   It uploads a specially crafted `*.war.gz` file that contains the target JSP.  
   The WAR is placed in the WildFly deployments directory via a directory‑traversal vulnerability.

4. **Execute Command**  
   Once the JSP is deployed, the script sends a POST request to the JSP endpoint (`cmd.jsp`).  
   The payload is an arbitrary command (e.g., `whoami`, `id`, `cat /etc/passwd`, etc.).

5. **Result**  
   Successful execution returns the command output in the response body.

---

## Usage

```bash
python3 exploit.py -url http:// -jsp_path /path/to/malicious.jsp [-command ""] [-debug]
```

### Options

| Flag | Description |
|------|-------------|
| `-url` | **Required.** Base URL of the SD‑WAN Controller (no trailing slash). |
| `-jsp_path` | **Required.** Path to the JSP file you want to upload. |
| `-command` | Optional. Command you want to execute once the webshell is deployed. |
| `-debug` | When set, the script will attempt to run the supplied command immediately after uploading. Useful for testing. |

### Example
If you want to use my webshell:
```bash
python3 exploit.py -url http://192.168.1.100 -jsp_path cmd.jsp -command "id" -debug
```
The script will:
1. Upload `cmd.jsp` as `cmd.war.gz`.
2. Deploy it to `http://192.168.1.100/cmd.gz/cmd.jsp`.
3. Execute `id` on the target.

Successful output will be displayed in green.

If you want to use your custom webshell:
```bash
python3 exploit.py -url http://192.168.1.100 -jsp_path .jsp
```

### Demo

![demo](images/poc.png)