Detect Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) in IBM QRadar
CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
sourceip, destinationip, username, QIDNAME(qid) as EventName,
"File Path" as FilePath, "Process Name" as ProcessName,
"Command Line" as CommandLine
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Cisco SD-WAN', 'Linux Syslog', 'Endpoint Management')
AND devicetime > (CURRENT_TIMESTAMP - 604800000)
AND (
("File Path" ILIKE '%/etc/viptela%' OR "File Path" ILIKE '%/opt/nms%' OR "File Path" ILIKE '%vmanage%')
OR
("Process Name" ILIKE ANY ('%sqlite3%', '%strings%', '%grep%') AND "Command Line" ILIKE ANY ('%password%', '%passwd%', '%credential%', '%vmanage%'))
OR
("Event Category" = 'Authentication' AND "Authentication Result" = 'Success' AND username ILIKE '%admin%' AND sourceip NOT INCIDR '10.0.0.0/8,172.16.0.0/12,192.168.0.0/16')
)
ORDER BY devicetime DESC
LIMIT 500QRadar AQL query detecting CVE-2026-20128 exploitation indicators: vManage configuration directory access, credential-scraping process execution, and suspicious authentication from non-RFC1918 sources targeting SD-WAN Manager admin accounts.
Data Sources
Required Tables
False Positives & Tuning
- Administrative tasks performed from jump hosts or bastion servers with external IPs
- Legitimate grep/awk usage by operations staff during troubleshooting sessions
- Third-party network management platforms polling vManage API endpoints
Other platforms for CVE-2026-20128
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1vManage SQLite Credential Database Direct Query
Expected signal: Process creation event for sqlite3 with command line containing /opt/nms/db or credential-related terms; file access event on vManage database path
- Test 2Grep for Passwords in vManage Configuration Directory
Expected signal: Process launch event for grep with arguments targeting /etc/viptela or similar paths and containing password-related search terms
- Test 3Unauthorized vManage REST API Credential Extraction via Python
Expected signal: Process launch event for python3 with command line containing the vManage management port (8443) and credential/user-related API path; NetworkConnectionIP4 event to localhost:8443
- Test 4strings Utility Against vManage Process Memory or Binary
Expected signal: Process creation for 'strings' with /proc/<pid>/exe or a vManage binary path as argument; subsequent grep process with credential search terms
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://nvd.nist.gov/vuln/detail/CVE-2026-20128
Unlock Pro Content
Get the full detection package for CVE-2026-20128 including response playbook, investigation guide, and atomic red team tests.