This is a submission for Weekend Challenge: Passion Edition
What I Built
CVE‑2026‑20127 Defensive Companion - a fully offline, enterprise‑grade browser extension (Manifest V3) that transforms raw exploit intelligence into a real‑time threat analysis laboratory. It provides deep‑dive visibility into the authentication bypass vulnerability in Cisco Catalyst SD‑WAN Controllers (vSmart), enabling SOC teams and defensive researchers to dissect the DTLS handshake flaw, extract Indicators of Compromise, and deploy mitigation strategies without ever exposing operational data to external networks.
The extension delivers:
- An offline NLP knowledge engine that answers natural‑language queries about the vulnerability, detection, and remediation - powered entirely by 17 segmented JSON intelligence domains parsed from the original exploit research.
- An interactive Protocol Explorer that renders the legitimate vs. exploited DTLS handshake sequences, highlighting the exact memory corruption in
vbond_proc_challenge_ack_ack()at0x38AB7. - A Packet Anatomy Viewer breaking down the forged
CHALLENGE_ACK_ACKmessage byte‑by‑byte. - A report generator that compiles on‑demand Markdown threat summaries for downstream distribution.
- Strict air‑gapped design: zero external API calls, rigid Content Security Policy, and the minimal possible permissions (
activeTab,sidePanel,storage).
The goal was to encapsulate months of passion for reverse engineering and defensive research into a single, elegant tool that makes sophisticated protocol analysis accessible to every security professional - anywhere, with no cloud dependency.
Demo
The extension’s side panel is the persistent analyst workspace. Below is a capture of the dashboard showing the interactive protocol explorer, local assistant, and IOC extraction.
Visual walk‑through: left pane - protocol sequence diagram with the vulnerable state transition highlighted; right pane - offline NLP assistant answering a detection query; bottom bar - quick IOC summary (malicious verify_status byte, targeted ports, anomalous log patterns).
Code
Executive Summary
The CVE-2026-20127 Defensive Companion is a premier, enterprise-grade Browser Extension engineered for proactive threat intelligence and defensive analysis. This tool encapsulates authoritative technical research concerning the authentication bypass vulnerability in the Cisco Catalyst SD-WAN Controller (vSmart). By delivering an offline, heavily localized intelligence layer, it empowers Security Operations Centers (SOC) and defensive researchers to rapidly analyze packet structures, trace authentication flows, and instantly extract Indicators of Compromise (IOCs) without exposing active investigative data to external networks.
Technical Background
The Cisco Catalyst SD-WAN architecture relies on the vdaemon service to establish and maintain control-plane DTLS connections between edge devices and the controller. The underlying vulnerability (CVE-2026-20127) exploits a failure in state machine validation during the DTLS handshake sequence, explicitly impacting ports typically associated with vSmart control traffic (e.g., 12346, 52521). The vulnerability allows unauthorized actors to bypass X.509 certificate validation and forge an authenticated state within the internal controller…
How I Built It
The Spark
Cisco’s disclosure of CVE‑2026‑20127 - an unauthenticated DTLS handshake bypass in the vSmart controller’s vdaemon service - immediately ignited my passion. A single missing state‑machine check in the vbond_proc_challenge_ack_ack() function allowed an attacker to forge an authenticated session without ever presenting a valid certificate. The original exploit repository laid bare the raw mechanics; I wanted to turn that knowledge into a defensive force multiplier that would outlive the patch cycle.
This challenge provided the perfect forcing function. In one weekend, I built an extension that doesn’t just describe the vulnerability - it teaches the protocol weakness, arms defenders with live detection rules, and does so in a completely offline package that respects the operational security of the most sensitive environments.
Architecture: Isolated Intelligence, Maximum Impact
The extension adheres to the strict separation enforced by Manifest V3, while delivering a reactive, near‑instant experience.
Data Layer (src/knowledge)
The raw exploit research was parsed into 17 domain‑specific JSON objects covering everything from the DTLS state machine (message types 8,9,10) to IOC fingerprints in vsyslog and auth.log. This structured intelligence is the foundation of the offline engine.
Offline NLP Engine (src/services)
A custom, zero‑latency pipeline runs entirely in the browser:
- Tokenization & stop‑word removal on the user’s natural‑language query.
-
Heuristic intent detection - mapping phrases like “how to detect” to the
Detectionknowledge domain. -
Semantic retrieval against the pre‑built inverted index (a
Set<string>intersection over tokens). - Template‑driven synthesis that assembles the matched JSON fragments into human‑readable Markdown, complete with memory addresses, log signatures, and ACL recommendations.
All indexing happens synchronously at side‑panel load, keeping query response times sub‑millisecond.
Presentation Layer (React 19 + Vite + Tailwind)
The UI is built as a single‑page application mounted in the sidePanel. Key design choices:
- Lazy‑loaded components ensure instant first paint; the Protocol Explorer and Packet Viewer are loaded only when their tabs are activated.
- Framer Motion hardware‑accelerates the DTLS sequence animations, making the state‑transition attack path intuitively visible.
- Lucide React provides a professional icon set that scales across Chrome’s light/dark modes.
Browser Integration
- A service worker (
background.ts) acts as the central event bus, routing messages between the popup, side panel, and storage layers with mandatoryreturn truefor asyncchrome.runtime.onMessagelisteners. -
chrome.storage.localpersists user preferences and the most recent report snapshot. - The manifest requests only
activeTab,sidePanel, andstorage- nowebRequest, nodeclarativeNetRequest. All intelligence is self‑contained; the tool makes zero network requests, guaranteeing that no sensitive investigation data leaks.
Technical Deep Dive: Why the Vulnerability Exists
The extension’s Protocol Explorer visualises the core flaw. In the legitimate flow:
- Client sends DTLS
ClientHellowith X.509 cert. - Server issues
CHALLENGE(msg_type=8). - Client responds
CHALLENGE_ACK(msg_type=9) with cryptographic proof. - Server validates proof, sends
CHALLENGE_ACK_ACK(msg_type=10), and sets*(BYTE*)(peer_state+70) = 1.
The exploit skips step 3 entirely. The attacker intercepts the CHALLENGE and immediately crafts a CHALLENGE_ACK_ACK with a non‑zero verify_status byte. Because vbond_proc_msg() exempts msg_type=10 from authentication checks, the packet reaches the vulnerable handler, which blindly trusts the client‑supplied status and marks the peer as authenticated.
The extension renders these two flows side‑by‑side, highlighting the missing validation gate, and overlays the exact binary patch (upgrade to v20.12.6.1) that introduces the state‑machine enforcement.
Detection & Mitigation Built In
Beyond visualisation, the Knowledge Engine codifies actionable detection guidance directly from the exploit research:
-
vsyslog anomaly: Alert on
control-connection-state-changewithpeer-vmanage-system-ipof0.0.0.0followed by immediatedownstate. -
auth.log anomaly: Unexpected SSH key acceptance for
vmanage-adminon port 830 immediately after DTLS instability. - Network ACLs: Strictly restrict inbound DTLS ports (12346, 52521) to known edge routers.
-
Patch imperative: Upgrade to v20.12.6.1+, which adds the missing
verify_statusvalidation.
Every answer is synthesized from the local JSON store; the assistant is not a generative AI that hallucinates. It’s a deterministic retrieval engine that guarantees factual accuracy.
Passion in Every Component
This wasn’t a casual build. The extension reflects a deep obsession with protocol‑level security research. I manually disassembled the vdaemon logic, traced the memory writes, and translated the binary analysis into interactive UI elements. The NLP engine itself was hand‑crafted - no TensorFlow, no external models - because I wanted the intellectual satisfaction of building a pure, dependency‑free reasoning core that respects the air‑gap.
The project is a love letter to the art of defense: taking an attacker’s blueprint and forging a shield that educates and protects simultaneously. The World Cup of cybersecurity is happening every day in data centers and SOCs, and this tool is my seat in the stands, cheering for the blue team.

Top comments (2)
This is a seriously impressive build! The dedication to keeping the extension completely air-gapped while still delivering an offline NLP engine is a massive win for operational security.
Visualizing the DTLS state-machine bypass side-by-side with the legitimate flow is a fantastic way to bridge the gap between raw binary analysis and accessible defensive tooling. Furthermore, building your own deterministic retrieval engine instead of relying on external cloud APIs shows a deep understanding of what SOC teams actually need: factual accuracy without the risk of data leakage or AI hallucinations.
Incredible work condensing months of reverse engineering passion into a weekend challenge submission. Go blue team!
Thank you so much for the thoughtful feedback.