Detect Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) in CrowdStrike LogScale
CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("ProcessRollup2", "DnsRequest", "NetworkConnectIP4", "FileOpenInfo")
| FilePath LIKE "%/etc/viptela%" OR FilePath LIKE "%/opt/nms%" OR FilePath LIKE "%vmanage%"
OR (ImageFileName LIKE "%sqlite3%" AND CommandLine LIKE "%password%")
OR (ImageFileName LIKE "%python%" AND CommandLine LIKE "%vmanage%" AND CommandLine LIKE "%credential%")
OR (RemoteAddressIP4 != NULL AND LocalPort IN (8443, 8444) AND ImageFileName LIKE "%curl%")
| eval CVE="CVE-2026-20128"
| eval DetectionType=case(
FilePath LIKE "%viptela%" OR FilePath LIKE "%nms%", "Config File Access",
ImageFileName LIKE "%sqlite3%", "Database Credential Scraping",
ImageFileName LIKE "%python%" AND CommandLine LIKE "%vmanage%", "Scripted Credential Extraction",
1==1, "Anomalous SD-WAN Activity"
)
| table _time, ComputerName, UserName, ImageFileName, CommandLine, FilePath, RemoteAddressIP4, CVE, DetectionType
| sort -_time
| limit 200CrowdStrike Falcon NG-SIEM query for CVE-2026-20128 detecting vManage file access, SQLite credential scraping, and scripted credential extraction on endpoints identified as Cisco SD-WAN Manager infrastructure.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor baseline scans touching vManage configuration files
- Legitimate Python automation scripts interfacing with vManage REST API
- IT operations staff running ad-hoc database queries during troubleshooting
Other platforms for CVE-2026-20128
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1vManage SQLite Credential Database Direct Query
Expected signal: Process creation event for sqlite3 with command line containing /opt/nms/db or credential-related terms; file access event on vManage database path
- Test 2Grep for Passwords in vManage Configuration Directory
Expected signal: Process launch event for grep with arguments targeting /etc/viptela or similar paths and containing password-related search terms
- Test 3Unauthorized vManage REST API Credential Extraction via Python
Expected signal: Process launch event for python3 with command line containing the vManage management port (8443) and credential/user-related API path; NetworkConnectionIP4 event to localhost:8443
- Test 4strings Utility Against vManage Process Memory or Binary
Expected signal: Process creation for 'strings' with /proc/<pid>/exe or a vManage binary path as argument; subsequent grep process with credential search terms
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://nvd.nist.gov/vuln/detail/CVE-2026-20128
Unlock Pro Content
Get the full detection package for CVE-2026-20128 including response playbook, investigation guide, and atomic red team tests.