CVE-2026-20122 Splunk · SPL

Detect Cisco Catalyst SD-WAN Manager Privileged API Abuse (CVE-2026-20122) in Splunk

Detects exploitation of CVE-2026-20122, a critical vulnerability in Cisco Catalyst SD-WAN Manager involving incorrect use of privileged APIs (CWE-648). This KEV-listed flaw allows attackers to invoke privileged API endpoints without proper authorization, potentially enabling unauthorized configuration changes, credential harvesting, or full SD-WAN infrastructure takeover. Active exploitation has been observed in the wild per CISA Emergency Directive ED-26-03.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion Lateral Movement

SPL Detection Query

Splunk (SPL)
spl 
index=network sourcetype IN ("cisco:sdwan", "cisco:vmanage", "cisco:sdwan:audit", "pan:traffic", "cisco:asa")
| eval api_path=coalesce(uri, url, request_uri, cs_uri_stem)
| eval http_method=coalesce(method, http_method, cs_method)
| eval src_ip=coalesce(src_ip, c_ip, src, clientip)
| eval http_status=coalesce(status, http_status_code, sc_status)
| where match(api_path, "(?i)/dataservice/(admin|system|device/action|template|settings/configuration|certificate|aaa)")
| where http_method IN ("POST", "PUT", "DELETE", "PATCH")
| where http_status IN ("200", "201", "204")
| bucket _time span=10m
| stats
    count AS request_count,
    dc(api_path) AS unique_apis,
    values(api_path) AS apis_accessed,
    values(http_method) AS methods_used,
    min(_time) AS first_seen,
    max(_time) AS last_seen
  BY src_ip, _time
| where request_count >= 3 OR unique_apis >= 2
| eval risk_score=case(
    unique_apis >= 4, "Critical",
    unique_apis >= 2, "High",
    request_count >= 10, "High",
    true(), "Medium"
  )
| eval alert_title="CVE-2026-20122: Cisco SD-WAN Manager Privileged API Abuse"
| table _time, src_ip, request_count, unique_apis, apis_accessed, methods_used, risk_score, first_seen, last_seen
| sort - unique_apis, - request_count
critical severity medium confidence

Detects suspicious privileged API access patterns against Cisco SD-WAN Manager consistent with CVE-2026-20122 exploitation. Aggregates access by source IP over 10-minute windows, flagging sources that touch multiple admin API paths or make repeated mutation requests.

Data Sources

Cisco SD-WAN Manager audit logsWeb proxy logsNetwork flow data

Required Sourcetypes

cisco:sdwancisco:vmanagecisco:sdwan:audit

False Positives & Tuning

  • Authorized network engineers performing SD-WAN policy pushes or device onboarding via API
  • Monitoring platforms such as Cisco Crosswork or third-party SIEM integrations polling management APIs
  • Penetration testing engagements targeting SD-WAN infrastructure with prior written authorization
  • Cisco smart licensing or telemetry daemons making periodic calls to configuration endpoints

Other platforms for CVE-2026-20122

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated SD-WAN Manager Privileged API Probe

    Expected signal: HTTP GET requests to /dataservice/admin/user, /dataservice/system/information, /dataservice/aaa/usergroup, /dataservice/certificate/list from the test host to port 8443, logged in vManage access logs and network flow.

  2. Test 2Privileged API Admin Account Creation Simulation

    Expected signal: POST to /dataservice/aaa/user with a new username payload logged in vManage audit log, network capture showing the request body containing userName and group fields.

  3. Test 3SD-WAN Manager Template Enumeration and Exfiltration Simulation

    Expected signal: Sequential GET requests to /dataservice/template/device, /dataservice/template/feature, /dataservice/device, and /dataservice/device/action/list within a short timeframe from a single source IP.

  4. Test 4Rapid Privileged API Burst from Single Source

    Expected signal: 21+ HTTP requests across 7 distinct privileged API paths within seconds, all from the same source IP, logged in vManage access logs and network telemetry.

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20122 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense EvasionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1098Account ManipulationT1021Remote Services

Same Tactic: Initial Access

Popular Detections