CVE-2026-20128 Elastic Security · Elastic

Detect Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) in Elastic Security

CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.

MITRE ATT&CK

Tactic
Credential Access Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=10m
  [file where event.action in ("open", "read", "access") and
   file.path : ("/etc/viptela/*", "/opt/nms/*", "*vmanage*", "*.viptela*") and
   not process.name : ("vmanage", "nms_server", "confd")]
  [process where event.type == "start" and
   process.name : ("sqlite3", "strings", "grep", "cat", "python*", "perl", "ruby") and
   process.args : ("*password*", "*passwd*", "*credential*", "*secret*", "*vmanage*")]
high severity medium confidence

EQL sequence detection for CVE-2026-20128 correlating vManage configuration file access followed by credential-scraping process execution on the same host within 10 minutes, indicative of an attacker chaining file discovery with credential harvesting.

Data Sources

Elastic Endpoint SecurityFilebeatAuditbeat

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.process-*

False Positives & Tuning

  • Legitimate database maintenance scripts accessing vManage SQLite databases
  • Authorized security tooling performing configuration baseline checks
  • Cisco-supplied diagnostic utilities triggering both file and process events in sequence

Other platforms for CVE-2026-20128

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vManage SQLite Credential Database Direct Query

    Expected signal: Process creation event for sqlite3 with command line containing /opt/nms/db or credential-related terms; file access event on vManage database path

  2. Test 2Grep for Passwords in vManage Configuration Directory

    Expected signal: Process launch event for grep with arguments targeting /etc/viptela or similar paths and containing password-related search terms

  3. Test 3Unauthorized vManage REST API Credential Extraction via Python

    Expected signal: Process launch event for python3 with command line containing the vManage management port (8443) and credential/user-related API path; NetworkConnectionIP4 event to localhost:8443

  4. Test 4strings Utility Against vManage Process Memory or Binary

    Expected signal: Process creation for 'strings' with /proc/<pid>/exe or a vManage binary path as argument; subsequent grep process with credential search terms

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20128 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1078Valid AccountsT1021Remote Services

Same Tactic: Credential Access

Popular Detections