CVE-2026-20128 Splunk · SPL

Detect Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) in Splunk

CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.

MITRE ATT&CK

Tactic
Credential Access Persistence Lateral Movement

SPL Detection Query

Splunk (SPL)
spl 
index=network OR index=endpoint OR index=syslog
(source="cisco:sdwan" OR source="vmanage" OR host IN ("*vmanage*", "*sdwan*", "*sd-wan-manager*"))
| eval suspicious_file_access=if(match(file_path, "(?i)(\/etc\/viptela|\/opt\/nms|vmanage|\.viptela)") AND match(action, "(?i)(read|open|access)"), 1, 0)
| eval credential_scraping=if(match(process_name, "(?i)(sqlite3|strings|grep|cat|awk|python|perl|ruby)") AND match(cmdline, "(?i)(password|passwd|credential|secret|vmanage|nms_server)"), 1, 0)
| eval suspicious_outbound=if(match(dest_port, "^(8443|8444|443)$") AND match(app, "(?i)(curl|wget|python|ruby|powershell)"), 1, 0)
| where suspicious_file_access=1 OR credential_scraping=1 OR suspicious_outbound=1
| eval cve="CVE-2026-20128", severity="high"
| eval detection_reason=case(suspicious_file_access=1, "Suspicious vManage config file access", credential_scraping=1, "Credential scraping command detected", suspicious_outbound=1, "Suspicious outbound from SD-WAN manager", true(), "Unknown")
| table _time, host, user, process_name, cmdline, file_path, dest, dest_port, detection_reason, cve, severity
| sort -_time
high severity medium confidence

Splunk detection for CVE-2026-20128 targeting Cisco Catalyst SD-WAN Manager credential extraction activity. Correlates file access patterns against known vManage configuration paths, credential-scraping process invocations, and anomalous outbound connections from SD-WAN management infrastructure.

Data Sources

Cisco SD-WAN telemetrySyslogEndpoint Detection and Response

Required Sourcetypes

cisco:sdwansyslogendpoint:processendpoint:file

False Positives & Tuning

  • Scheduled backup jobs that read vManage configuration directories
  • Network management systems performing legitimate API polling of vManage
  • Security audit scripts scanning for configuration compliance
  • Vendor-supplied diagnostics tools run during maintenance windows

Other platforms for CVE-2026-20128

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vManage SQLite Credential Database Direct Query

    Expected signal: Process creation event for sqlite3 with command line containing /opt/nms/db or credential-related terms; file access event on vManage database path

  2. Test 2Grep for Passwords in vManage Configuration Directory

    Expected signal: Process launch event for grep with arguments targeting /etc/viptela or similar paths and containing password-related search terms

  3. Test 3Unauthorized vManage REST API Credential Extraction via Python

    Expected signal: Process launch event for python3 with command line containing the vManage management port (8443) and credential/user-related API path; NetworkConnectionIP4 event to localhost:8443

  4. Test 4strings Utility Against vManage Process Memory or Binary

    Expected signal: Process creation for 'strings' with /proc/<pid>/exe or a vManage binary path as argument; subsequent grep process with credential search terms

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20128 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1078Valid AccountsT1021Remote Services

Same Tactic: Credential Access

Popular Detections