CVE-2026-20133 Microsoft Sentinel · KQL

Detect Cisco Catalyst SD-WAN Manager Sensitive Information Exposure (CVE-2026-20133) in Microsoft Sentinel

Detects exploitation attempts targeting CVE-2026-20133, a CWE-200 information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that allows unauthorized actors to access sensitive configuration and credential data. This vulnerability is actively exploited in the wild (CISA KEV) and may be leveraged to pivot into SD-WAN infrastructure.

MITRE ATT&CK

Tactic
Credential Access Discovery Collection

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let sdwan_mgr_ips = dynamic([]);
let suspicious_paths = dynamic(["/dataservice/", "/auditlog", "/device/config", "/template/", "/setting/configuration", "/admin/user"]);
let timeframe = 24h;
union
(
    DeviceNetworkEvents
    | where TimeGenerated >= ago(timeframe)
    | where RemotePort in (8443, 443, 8080)
    | where RemoteUrl has_any (suspicious_paths)
    | project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, ActionType
    | extend DataSource = "DeviceNetworkEvents"
),
(
    CommonSecurityLog
    | where TimeGenerated >= ago(timeframe)
    | where DeviceVendor == "Cisco" and DeviceProduct has_any ("SD-WAN", "vManage")
    | where RequestURL has_any (suspicious_paths)
    | where DestinationPort in (8443, 443, 8080)
    | project TimeGenerated, DeviceName, SourceIP, RequestURL, DestinationPort, Activity, AdditionalExtensions
    | extend DataSource = "CommonSecurityLog"
),
(
    AzureDiagnostics
    | where TimeGenerated >= ago(timeframe)
    | where Category == "ApplicationGatewayAccessLog"
    | where requestUri_s has_any (suspicious_paths)
    | where httpStatus_i in (200, 201, 206)
    | project TimeGenerated, clientIP_s, requestUri_s, httpStatus_i, host_s
    | extend DataSource = "AzureDiagnostics"
)
| summarize RequestCount = count(), UniqueURLs = dcount(coalesce(RemoteUrl, RequestURL, requestUri_s)) by bin(TimeGenerated, 5m), DataSource
| where RequestCount > 5
critical severity medium confidence

Detects unusual HTTP access patterns to Cisco SD-WAN Manager API endpoints associated with information disclosure exploitation. Monitors for enumeration of sensitive paths including device configs, templates, audit logs, and user endpoints from unexpected source IPs.

Data Sources

DeviceNetworkEventsCommonSecurityLogAzureDiagnosticsNetworkSessionEvents

Required Tables

DeviceNetworkEventsCommonSecurityLogAzureDiagnostics

False Positives & Tuning

  • Legitimate SD-WAN administrators performing bulk API queries or automation tasks against vManage
  • Authorized monitoring tools or SIEM connectors polling SD-WAN Manager configuration APIs
  • Cisco TAC-initiated remote troubleshooting sessions accessing configuration endpoints
  • Scheduled configuration backup jobs enumerating device templates and settings

Other platforms for CVE-2026-20133

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated SD-WAN Manager Device Config Enumeration

    Expected signal: HTTP GET requests to SD-WAN Manager management port (8443) for paths /dataservice/device, /dataservice/device/config, and /dataservice/admin/user from the test host IP. Response codes may be 200 (vulnerable) or 401/403 (patched/mitigated).

  2. Test 2SD-WAN Manager Template and Credential Harvest Simulation

    Expected signal: File creation events in /tmp/sdwan_harvest_test alongside network connections to vManage port 8443. Curl process making multiple sequential HTTP GET requests to /dataservice/template/device, /dataservice/setting/configuration, and /dataservice/auditlog.

  3. Test 3Automated SD-WAN Manager API Endpoint Enumeration with Token Extraction

    Expected signal: Rapid sequential HTTP GET requests (9 requests within ~5 seconds with 0.5s delay) to multiple /dataservice/ subpaths from a single source IP. HTTP status codes logged for each endpoint. Process: bash script executing curl in a loop.

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20133 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0007DiscoveryTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1552.001Credentials In FilesT1046Network Service DiscoveryT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections