CVE-2026-20122

Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122)

Initial Access Privilege Escalation Defense Evasion Lateral Movement Last updated:

Detects exploitation of CVE-2026-20122, a critical vulnerability in Cisco Catalyst SD-WAN Manager involving incorrect use of privileged APIs (CWE-648). This KEV-listed flaw allows attackers to invoke privileged API endpoints without proper authorization, potentially enabling unauthorized configuration changes, credential harvesting, or full SD-WAN infrastructure takeover. Active exploitation has been observed in the wild per CISA Emergency Directive ED-26-03.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Cisco
Product
Catalyst SD-WAN Manger

Weakness (CWE)

CWE-648

Timeline

Disclosed
April 20, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-20122 Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122)?

Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122) (CVE-2026-20122) maps to the Initial Access and Privilege Escalation and Defense Evasion and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122), covering the data sources and telemetry it touches: CommonSecurityLog, AzureDiagnostics, Cisco SD-WAN Manager Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion Lateral Movement
Microsoft Sentinel / Defender
kusto 
let SdwanManagerHosts = dynamic(["sdwan-manager", "vmanage"]);
let PrivilegedApiPaths = dynamic(["/dataservice/admin", "/dataservice/system", "/dataservice/device/action", "/dataservice/template", "/dataservice/settings/configuration", "/dataservice/certificate", "/dataservice/aaa"]);
let SuspiciousStatusCodes = dynamic([200, 201, 204]);
let LookbackWindow = 1h;
union
(
    CommonSecurityLog
    | where TimeGenerated >= ago(LookbackWindow)
    | where DeviceVendor =~ "Cisco" and DeviceProduct has_any ("SD-WAN", "vManage", "Catalyst SD-WAN")
    | where RequestURL has_any (PrivilegedApiPaths)
    | where RequestMethod in ("POST", "PUT", "DELETE", "PATCH")
    | where toint(EventOutcome) in (SuspiciousStatusCodes)
    | extend SourceIP = SourceIP, RequestedAPI = RequestURL, HttpMethod = RequestMethod
    | project TimeGenerated, SourceIP, DestinationIP, RequestedAPI, HttpMethod, EventOutcome, Message, DeviceAction
),
(
    AzureDiagnostics
    | where TimeGenerated >= ago(LookbackWindow)
    | where Category =~ "ApplicationGatewayAccessLog" or ResourceType =~ "APPLICATIONGATEWAYS"
    | where requestUri_s has_any (PrivilegedApiPaths)
    | where httpMethod_s in ("POST", "PUT", "DELETE", "PATCH")
    | where httpStatus_d in (200, 201, 204)
    | extend SourceIP = clientIP_s, RequestedAPI = requestUri_s, HttpMethod = httpMethod_s
    | project TimeGenerated, SourceIP, RequestedAPI, HttpMethod, httpStatus_d, host_s
)
| summarize
    RequestCount = count(),
    UniqueAPIs = dcount(RequestedAPI),
    APIsAccessed = make_set(RequestedAPI, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by SourceIP, HttpMethod
| where RequestCount >= 3 or UniqueAPIs >= 2
| extend RiskScore = case(
    UniqueAPIs >= 4, "Critical",
    UniqueAPIs >= 2, "High",
    RequestCount >= 10, "High",
    "Medium"
  )
| sort by UniqueAPIs desc, RequestCount desc

Detects unauthorized or anomalous access to privileged SD-WAN Manager API endpoints indicative of CVE-2026-20122 exploitation. Correlates HTTP method, API path, and response codes across CommonSecurityLog and AzureDiagnostics to surface privilege abuse patterns.

critical severity medium confidence

Data Sources

CommonSecurityLog AzureDiagnostics Cisco SD-WAN Manager Logs

Required Tables

CommonSecurityLog AzureDiagnostics

False Positives

  • Legitimate SD-WAN administrators performing bulk configuration changes or template deployments
  • Automated orchestration tools or CI/CD pipelines that interact with the SD-WAN Manager API using service accounts
  • Vulnerability scanners or compliance tools performing API enumeration against the management plane
  • Cisco TAC remote support sessions accessing privileged endpoints during troubleshooting

Sigma rule & cross-platform mapping

The detection logic for Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122) (CVE-2026-20122) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-20122 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-20122

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated SD-WAN Manager Privileged API Probe

    Expected signal: HTTP GET requests to /dataservice/admin/user, /dataservice/system/information, /dataservice/aaa/usergroup, /dataservice/certificate/list from the test host to port 8443, logged in vManage access logs and network flow.

  2. Test 2Privileged API Admin Account Creation Simulation

    Expected signal: POST to /dataservice/aaa/user with a new username payload logged in vManage audit log, network capture showing the request body containing userName and group fields.

  3. Test 3SD-WAN Manager Template Enumeration and Exfiltration Simulation

    Expected signal: Sequential GET requests to /dataservice/template/device, /dataservice/template/feature, /dataservice/device, and /dataservice/device/action/list within a short timeframe from a single source IP.

  4. Test 4Rapid Privileged API Burst from Single Source

    Expected signal: 21+ HTTP requests across 7 distinct privileged API paths within seconds, all from the same source IP, logged in vManage access logs and network telemetry.

Unlock Pro Content

Get the full detection package for CVE-2026-20122 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense EvasionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1098Account ManipulationT1021Remote Services

Same Tactic: Initial Access

Popular Detections