Detection: Cisco SD-WAN Multiple SSH key Authentication from Same Source

Updated Date: 2026-06-09 ID: 23e15133-d825-4e1d-b885-b8fe3909e947 Author: Teoderick Contreras, Splunk Type: Hunting Product: Splunk Enterprise Security

Description

This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component. After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations.

Search

 1`cisco_sd_wan_syslog`
 2"Accepted publickey"
 3
 4| rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
 5
 6| stats dc(ssh_key) as distinct_keys
 7        values(ssh_key) as ssh_keys
 8  count by dest user src
 9
10| where distinct_keys > 1
11
12| `cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco SD-WAN Auth Log	Other	`'cisco:sdwan:syslog'`	`'/var/log/auth.log'`

Macros Used

Name	Value
cisco_sd_wan_syslog	`sourcetype=cisco:sdwan:syslog`
cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter	`search *`

cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1595	Active Scanning	Reconnaissance

Reconnaissance

DE.AE

CIS 13

CVE

CVE-2026-20127

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	No
Creates Intermediate Finding (Risk Event)	No

Hunting detections do not generate a Finding (Notable) or Intermediate Findings (Risk Events).

Implementation

This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Cisco Catalyst SD-WAN Analytics

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`/var/log/auth.log`	`cisco:sdwan:syslog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1