Cyber Threat Brief — March 5 2026
Cyber Threat Brief — March 5 2026
Focus: Actionable technical intel for detection engineers. Every entry has MITRE-mapped artifacts and concrete detection coverage notes. Sources verified within 24 hours.
1. Cisco Catalyst SD-WAN — Pre-auth RCE PoC drops WAR/JSP via WildFly deployments
Summary
A new public PoC for a Cisco Catalyst SD-WAN pre-auth RCE chain (shared as CVE-2026-20127) shows a very defender-friendly flow: steal a 32-byte key from an exposed “data collection agent” file, authenticate as a reserved service user, then abuse a file upload endpoint to path-traverse a .war into WildFly’s standalone/deployments for JSP-based command execution. Even if you don’t trust “exploited since 2023” marketing claims, the PoC provides extremely huntable HTTP paths and server-side file targets.
What’s New (Last 24 Hours)
A working exploit script and companion web shell artifacts (cmd.war, cmd.jsp) were published to GitHub. The PoC documents specific SD-WAN management-plane endpoints used for key retrieval, login, WAR write, and command execution.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
GET /reports/data/opt/data/containers/config/data-collection-agent/.dca (expects 32-byte key) | TTP | T1190 | Reverse proxy / web access logs | Hunt for requests to this exact path (especially from untrusted IPs); this is the PoC’s first-stage secret retrieval |
POST /jts/authenticated/j_security_check with j_username=viptela-reserved-dca | TTP | T1078 | Web access logs / app logs | Alert on authentication attempts using the reserved username, particularly immediately following .dca retrieval |
POST /dataservice/smartLicensing/uploadAck with multipart file name containing ../../..../var/lib/wildfly/standalone/deployments/ | TTP | T1105 | Web access logs / WAF logs | Detect path traversal in multipart upload filenames targeting WildFly deployments; this is the WAR drop primitive |
Write of *.gz.war into .../wildfly/standalone/deployments/ | TTP | T1505.003 | EDR file telemetry / Linux auditd | Alert on new WAR deployments written by the SD-WAN service context; baseline expected deployments and detect new/rare names |
POST /cmd.gz/cmd.jsp with parameter cmd=<command> | TTP | T1059.004 | Web access logs | Hunt for requests to *.jsp beneath /*.gz/ paths and especially cmd= form fields; this is the webshell execution step |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | None found | No technique+artifact matches surfaced for the specific SD-WAN/WildFly WAR dropper behavior; you likely need a local analytic on the concrete HTTP paths above and/or file-creation monitoring for standalone/deployments |
| Elastic | None found | Same gap: prioritize web log detections on the unique endpoints (.dca, uploadAck) and EDR/auditd monitoring for new .war writes in WildFly deployments |
| Sigma | None found | Generic webshell/WAR-write rules exist in some ecosystems, but no direct Sigma hits for these concrete URIs/paths via this query; treat as a custom-hunt scenario driven by the PoC artifacts |
Sources
- zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE (PoC repo) — Published 2026-03-04
- X post amplifying repo — Published 2026-03-04
2. Tactical RMM — Authenticated Jinja2 SSTI RCE via reporting template preview endpoint
Summary
A new Metasploit PR adds a Tactical RMM exploit module for an authenticated Jinja2 SSTI that turns the “reporting template preview” feature into Python/OS command execution. The key operational detail: the API endpoint takes attacker-controlled template_md and renders it via Environment.from_string() without sandboxing (patched by moving to SandboxedEnvironment). This is the kind of bug that shows up as very specific, high-signal API calls and payload-shaped template strings in web logs.
What’s New (Last 24 Hours)
Rapid7’s Metasploit Framework received a new exploit module PR documenting the vulnerable endpoints and the exact API request structure used to authenticate, confirm SSTI, and deliver payloads.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
POST /v2/checkcreds/ (JSON username/password; returns token) | TTP | T1078 | API gateway / web access logs | Baseline expected auth patterns; alert on anomalous auth sources followed immediately by template preview calls |
POST /reporting/templates/preview/ | TTP | T1190 | Web access logs / API logs | High-signal hunt pivot: this endpoint is the RCE delivery path in the module |
JSON body field template_md sent to /reporting/templates/preview/ | TTP | T1059.004 | Web access logs (if body logged) / app debug logs | If you log request bodies (carefully), alert on template_md containing Jinja2 expression markers like {{ / {% |
GET /env-config.js followed by Host-header targeting the discovered API vhost (PROD_URL) | TTP | T1583.006 | Web access logs | The module auto-discovers the API host from /env-config.js then pivots to API calls; this sequence can be used as a correlation pattern |
GET /core/dashinfo/ with Authorization: Token <…> | TTP | T1078 | API logs | Token-authenticated dashinfo queries can be normal, but are useful to correlate with unusual template preview activity during exploitation |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | None found | Current technique+artifact matching did not surface Tactical-RMM-specific detections; best coverage is a custom analytic watching /reporting/templates/preview/ usage + Jinja2 marker strings in template_md |
| Elastic | None found | Same gap: implement an API log detection around the preview endpoint and body-content heuristics (e.g., {{ / {%, unusually long template bodies) mapped to the SSTI execution path |
| Sigma | None found | No direct Sigma hits for these Tactical RMM endpoints/fields via this query; treat as a bespoke web/API detection opportunity |
Sources
- rapid7/metasploit-framework PR #21017 (patch) — Published 2026-03-05