Detect Cisco Catalyst SD-WAN Manager Sensitive Information Exposure (CVE-2026-20133) in Splunk
Detects exploitation attempts targeting CVE-2026-20133, a CWE-200 information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that allows unauthorized actors to access sensitive configuration and credential data. This vulnerability is actively exploited in the wild (CISA KEV) and may be leveraged to pivot into SD-WAN infrastructure.
MITRE ATT&CK
- Tactic
- Credential Access Discovery Collection
SPL Detection Query
index=network OR index=proxy OR index=cisco_sdwan earliest=-24h
| eval sdwan_path=if(match(uri_path, "(?i)(/dataservice/|/auditlog|/device/config|/template/|/setting/configuration|/admin/user)"), "sensitive_path", "normal")
| where sdwan_path="sensitive_path"
| eval port=coalesce(dest_port, dpt)
| where port IN ("443", "8443", "8080")
| stats count AS request_count, dc(uri_path) AS unique_paths, values(uri_path) AS accessed_paths, values(status) AS http_statuses BY src_ip, dest_ip, _time span=5m
| where request_count > 5 OR unique_paths > 3
| eval risk_score=case(
unique_paths > 10, 90,
unique_paths > 5, 70,
request_count > 50, 80,
true(), 50
)
| eval alert_name="CVE-2026-20133 SD-WAN Sensitive Info Enumeration"
| table _time, src_ip, dest_ip, request_count, unique_paths, accessed_paths, http_statuses, risk_score, alert_name
| sort -risk_scoreIdentifies bulk or sequential access to Cisco SD-WAN Manager sensitive REST API endpoints that may indicate exploitation of CVE-2026-20133 information disclosure vulnerability. Scores findings by access frequency and path diversity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated configuration management tools with legitimate access to vManage APIs
- Monitoring solutions polling device status and configuration endpoints regularly
- SD-WAN administrator bulk operations during maintenance windows
- Cisco vAnalytics or integrated telemetry services querying configuration data
Other platforms for CVE-2026-20133
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated SD-WAN Manager Device Config Enumeration
Expected signal: HTTP GET requests to SD-WAN Manager management port (8443) for paths /dataservice/device, /dataservice/device/config, and /dataservice/admin/user from the test host IP. Response codes may be 200 (vulnerable) or 401/403 (patched/mitigated).
- Test 2SD-WAN Manager Template and Credential Harvest Simulation
Expected signal: File creation events in /tmp/sdwan_harvest_test alongside network connections to vManage port 8443. Curl process making multiple sequential HTTP GET requests to /dataservice/template/device, /dataservice/setting/configuration, and /dataservice/auditlog.
- Test 3Automated SD-WAN Manager API Endpoint Enumeration with Token Extraction
Expected signal: Rapid sequential HTTP GET requests (9 requests within ~5 seconds with 0.5s delay) to multiple /dataservice/ subpaths from a single source IP. HTTP status codes logged for each endpoint. Process: bash script executing curl in a loop.
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://nvd.nist.gov/vuln/detail/CVE-2026-20133
Unlock Pro Content
Get the full detection package for CVE-2026-20133 including response playbook, investigation guide, and atomic red team tests.