CVE-2026-20128 Microsoft Sentinel · KQL

Detect Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) in Microsoft Sentinel

CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.

MITRE ATT&CK

Tactic
Credential Access Persistence Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
union DeviceNetworkEvents, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(7d)
| where DeviceName has_any ("sdwan", "vmanage", "sd-wan-manager") or RemoteUrl has_any ("vmanage", "sdwan-manager")
| where (ActionType in ("FileRead", "FileAccessed") and FolderPath has_any ("/etc/viptela", "/opt/nms", "vmanage", "sdwan", ".viptela"))
   or (ProcessCommandLine has_any ("sqlite3", "strings", "grep", "cat") and ProcessCommandLine has_any ("password", "passwd", "credential", "secret", "vmanage"))
   or (ActionType == "NetworkConnectionSuccess" and RemotePort in (8443, 8444, 443) and InitiatingProcessCommandLine has_any ("curl", "wget", "python", "ruby", "perl") and InitiatingProcessCommandLine has "vmanage")
| extend Severity = "High", CVE = "CVE-2026-20128"
| project TimeGenerated, DeviceName, ActionType, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine, RemoteUrl, RemotePort, AccountName, CVE, Severity
| order by TimeGenerated desc
high severity medium confidence

Detects suspicious file access, process activity, and network connections indicative of credential extraction from Cisco Catalyst SD-WAN Manager systems. Looks for reads of vManage configuration directories, credential-scraping commands, and unusual outbound connections from SD-WAN management hosts.

Data Sources

Microsoft Defender for EndpointMicrosoft SentinelAzure Monitor

Required Tables

DeviceNetworkEventsDeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate administrative backup scripts accessing vManage configuration directories
  • Authorized penetration testing or security assessments of SD-WAN infrastructure
  • Cisco TAC support sessions involving configuration file review
  • Automated monitoring agents performing scheduled health checks on vManage

Other platforms for CVE-2026-20128

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vManage SQLite Credential Database Direct Query

    Expected signal: Process creation event for sqlite3 with command line containing /opt/nms/db or credential-related terms; file access event on vManage database path

  2. Test 2Grep for Passwords in vManage Configuration Directory

    Expected signal: Process launch event for grep with arguments targeting /etc/viptela or similar paths and containing password-related search terms

  3. Test 3Unauthorized vManage REST API Credential Extraction via Python

    Expected signal: Process launch event for python3 with command line containing the vManage management port (8443) and credential/user-related API path; NetworkConnectionIP4 event to localhost:8443

  4. Test 4strings Utility Against vManage Process Memory or Binary

    Expected signal: Process creation for 'strings' with /proc/<pid>/exe or a vManage binary path as argument; subsequent grep process with credential search terms

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20128 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1078Valid AccountsT1021Remote Services

Same Tactic: Credential Access

Popular Detections