Detect Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122) in Google Chronicle
Detects exploitation of CVE-2026-20122, a critical vulnerability in Cisco Catalyst SD-WAN Manager involving incorrect use of privileged APIs (CWE-648). This KEV-listed flaw allows attackers to invoke privileged API endpoints without proper authorization, potentially enabling unauthorized configuration changes, credential harvesting, or full SD-WAN infrastructure takeover. Active exploitation has been observed in the wild per CISA Emergency Directive ED-26-03.
MITRE ATT&CK
YARA-L Detection Query
rule cisco_sdwan_privileged_api_abuse_cve_2026_20122 {
meta:
author = "df00tech Detection Engineering"
description = "Detects exploitation of CVE-2026-20122 via unauthorized privileged API access on Cisco Catalyst SD-WAN Manager"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v"
cve = "CVE-2026-20122"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method in ("POST", "PUT", "DELETE", "PATCH")
$e.network.http.response_code in (200, 201, 204)
(
re.regex($e.network.http.request_url, `/dataservice/admin`) or
re.regex($e.network.http.request_url, `/dataservice/system`) or
re.regex($e.network.http.request_url, `/dataservice/device/action`) or
re.regex($e.network.http.request_url, `/dataservice/template`) or
re.regex($e.network.http.request_url, `/dataservice/settings/configuration`) or
re.regex($e.network.http.request_url, `/dataservice/certificate`) or
re.regex($e.network.http.request_url, `/dataservice/aaa`)
)
$src_ip = $e.principal.ip
match:
$src_ip over 10m
condition:
#e >= 3
}Chronicle YARA-L rule detecting repeated successful HTTP mutations against Cisco SD-WAN Manager privileged API endpoints from a single source IP within a 10-minute window, consistent with CVE-2026-20122 privileged API abuse.
Data Sources
Required Tables
False Positives & Tuning
- Automated configuration management workflows with service accounts accessing the SD-WAN admin API
- Security assessment tools performing authenticated API enumeration as part of an authorized engagement
- Cisco Smart Account or licensing services making periodic privileged API calls
Other platforms for CVE-2026-20122
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated SD-WAN Manager Privileged API Probe
Expected signal: HTTP GET requests to /dataservice/admin/user, /dataservice/system/information, /dataservice/aaa/usergroup, /dataservice/certificate/list from the test host to port 8443, logged in vManage access logs and network flow.
- Test 2Privileged API Admin Account Creation Simulation
Expected signal: POST to /dataservice/aaa/user with a new username payload logged in vManage audit log, network capture showing the request body containing userName and group fields.
- Test 3SD-WAN Manager Template Enumeration and Exfiltration Simulation
Expected signal: Sequential GET requests to /dataservice/template/device, /dataservice/template/feature, /dataservice/device, and /dataservice/device/action/list within a short timeframe from a single source IP.
- Test 4Rapid Privileged API Burst from Single Source
Expected signal: 21+ HTTP requests across 7 distinct privileged API paths within seconds, all from the same source IP, logged in vManage access logs and network telemetry.
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://nvd.nist.gov/vuln/detail/CVE-2026-20122
Unlock Pro Content
Get the full detection package for CVE-2026-20122 including response playbook, investigation guide, and atomic red team tests.