Distributed SDN controllers are widely deployed in wide-area networks (e.g., SD-WAN), yet their protocol-level security vulnerabilities remain systematically unassessed. To address this gap, we propose a state-aware fuzzing methodology tailored for distributed SDN controller protocols. Our approach first performs reverse engineering of distributed systems and infers protocol state machines to construct a lightweight, unified state model; it then leverages this model to guide efficient, scalable, state-directed fuzzing—overcoming the fundamental limitation of conventional fuzzing in modeling multi-node collaborative states. Evaluated in a real-world SD-WAN environment spanning two campus networks and one enterprise network, our method uncovered six previously unknown protocol-level vulnerabilities. This work establishes the first automated security assessment framework for distributed control planes that supports complex, inference-based state modeling—demonstrating both practical efficacy and broad applicability.

Distributed SDN (Software-Defined Networking) controllers have rapidly become an integral element of Wide Area Networks (WAN), particularly within SD-WAN, providing scalability and fault-tolerance for expansive network infrastructures. However, the architecture of these controllers introduces new potential attack surfaces that have thus far received inadequate attention. In response to these concerns, we introduce Ambusher, a testing tool designed to discover vulnerabilities within protocols used in distributed SDN controllers. Ambusher achieves this by leveraging protocol state fuzzing, which systematically finds attack scenarios based on an inferred state machine. Since learning states from a cluster is complicated, Ambusher proposes a novel methodology that extracts a single and relatively simple state machine, achieving efficient state-based fuzzing. Our evaluation of Ambusher, conducted on a real SD-WAN deployment spanning two campus networks and one enterprise network, illustrates its ability to uncover 6 potential vulnerabilities in the widely used distributed controller platform.