Cisco Catalyst SD-WAN Manager Sensitive Information Exposure (CVE-2026-20133)

let sdwan_mgr_ips = dynamic([]);
let suspicious_paths = dynamic(["/dataservice/", "/auditlog", "/device/config", "/template/", "/setting/configuration", "/admin/user"]);
let timeframe = 24h;
union
(
    DeviceNetworkEvents
    | where TimeGenerated >= ago(timeframe)
    | where RemotePort in (8443, 443, 8080)
    | where RemoteUrl has_any (suspicious_paths)
    | project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, ActionType
    | extend DataSource = "DeviceNetworkEvents"
),
(
    CommonSecurityLog
    | where TimeGenerated >= ago(timeframe)
    | where DeviceVendor == "Cisco" and DeviceProduct has_any ("SD-WAN", "vManage")
    | where RequestURL has_any (suspicious_paths)
    | where DestinationPort in (8443, 443, 8080)
    | project TimeGenerated, DeviceName, SourceIP, RequestURL, DestinationPort, Activity, AdditionalExtensions
    | extend DataSource = "CommonSecurityLog"
),
(
    AzureDiagnostics
    | where TimeGenerated >= ago(timeframe)
    | where Category == "ApplicationGatewayAccessLog"
    | where requestUri_s has_any (suspicious_paths)
    | where httpStatus_i in (200, 201, 206)
    | project TimeGenerated, clientIP_s, requestUri_s, httpStatus_i, host_s
    | extend DataSource = "AzureDiagnostics"
)
| summarize RequestCount = count(), UniqueURLs = dcount(coalesce(RemoteUrl, RequestURL, requestUri_s)) by bin(TimeGenerated, 5m), DataSource
| where RequestCount > 5

index=network OR index=proxy OR index=cisco_sdwan earliest=-24h
| eval sdwan_path=if(match(uri_path, "(?i)(/dataservice/|/auditlog|/device/config|/template/|/setting/configuration|/admin/user)"), "sensitive_path", "normal")
| where sdwan_path="sensitive_path"
| eval port=coalesce(dest_port, dpt)
| where port IN ("443", "8443", "8080")
| stats count AS request_count, dc(uri_path) AS unique_paths, values(uri_path) AS accessed_paths, values(status) AS http_statuses BY src_ip, dest_ip, _time span=5m
| where request_count > 5 OR unique_paths > 3
| eval risk_score=case(
    unique_paths > 10, 90,
    unique_paths > 5, 70,
    request_count > 50, 80,
    true(), 50
  )
| eval alert_name="CVE-2026-20133 SD-WAN Sensitive Info Enumeration"
| table _time, src_ip, dest_ip, request_count, unique_paths, accessed_paths, http_statuses, risk_score, alert_name
| sort -risk_score

sequence by source.ip with maxspan=10m
  [network where event.category == "network" and
   destination.port in (443, 8443, 8080) and
   url.path : ("/dataservice/*", "*/auditlog*", "*/device/config*", "*/template/*", "*/setting/configuration*", "*/admin/user*") and
   http.response.status_code in (200, 201, 206)]
  [network where event.category == "network" and
   destination.port in (443, 8443, 8080) and
   url.path : ("/dataservice/*", "*/device/*", "*/template/*") and
   http.response.status_code in (200, 201, 206)]

SELECT
  sourceip,
  destinationip,
  destinationport,
  URL,
  COUNT(*) AS request_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen,
  COUNT(DISTINCT URL) AS unique_endpoints
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Cisco SD-WAN', 'Apache HTTP Server', 'Cisco ASA')
  AND (
    URL ILIKE '%/dataservice/%'
    OR URL ILIKE '%/auditlog%'
    OR URL ILIKE '%/device/config%'
    OR URL ILIKE '%/template/%'
    OR URL ILIKE '%/setting/configuration%'
    OR URL ILIKE '%/admin/user%'
  )
  AND destinationport IN (443, 8443, 8080)
  AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
GROUP BY sourceip, destinationip, destinationport, URL
HAVING COUNT(*) > 10 OR COUNT(DISTINCT URL) > 3
ORDER BY request_count DESC

_sourceCategory=cisco/sdwan OR _sourceCategory=network/proxy
| parse regex "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?(?P<method>GET|POST|PUT|DELETE)\s+(?P<uri_path>/[^\s]+).*?(?P<status_code>\d{3})"
| where uri_path matches "/dataservice/*" or uri_path matches "*/device/config*" or uri_path matches "*/template/*" or uri_path matches "*/auditlog*" or uri_path matches "*/admin/user*" or uri_path matches "*/setting/configuration*"
| where status_code in ("200", "201", "206")
| timeslice 5m
| stats count as request_count, count_distinct(uri_path) as unique_paths, values(uri_path) as paths_accessed by src_ip, _timeslice
| where request_count > 10 or unique_paths > 3
| sort by request_count desc

rule cve_2026_20133_sdwan_info_disclosure {
  meta:
    author = "df00tech"
    description = "Detects exploitation of CVE-2026-20133 Cisco SD-WAN Manager information disclosure"
    severity = "CRITICAL"
    priority = "HIGH"
    cve = "CVE-2026-20133"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.network.http.method = /GET|POST/
    $req.network.http.response_code = /^(200|201|206)$/
    $req.target.port in (443, 8443, 8080)
    $req.network.http.request_url = /\/dataservice\/|\/auditlog|\/device\/config|\/template\/|\/setting\/configuration|\/admin\/user/
    $src_ip = $req.principal.ip

  match:
    $src_ip over 10m

  condition:
    #req > 5
}

#event_simpleName=NetworkReceiveAccept OR #event_simpleName=NetworkConnectIP4
| CommandLine = /vmanage|sdwan|8443/
| RemotePort IN [443, 8443, 8080]
| groupby([RemoteAddressIP4, LocalAddressIP4, RemotePort], function=[count(aid, as=connection_count), collect(CommandLine, max=20, as=commands)])
| where connection_count > 20
| sort(connection_count, order=desc, limit=50)
| rename(RemoteAddressIP4, as="sdwan_mgr_ip", LocalAddressIP4, as="source_host_ip")