Detection: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication

Updated Date: 2026-06-09 ID: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4 Author: Teoderick Contreras, Splunk Type: Hunting Product: Splunk Enterprise Security

Description

This analytic identifies multiple unique source IP addresses successfully authenticating as vmanage-admin via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show Accepted publickey for vmanage-admin entries from unauthorized IPs. Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.

Search

 1`cisco_sd_wan_syslog`
 2"Accepted publickey"
 3
 4| rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
 5
 6| where user="vmanage-admin"
 7
 8| bin event_timestamp span=2m
 9
10| stats dc(src) as unique_src_ips
11        values(src) as src_ips
12        values(user) as users
13  count as auth_count by event_timestamp dest
14
15| where unique_src_ips >= 2
16
17| sort 0 - unique_src_ips
18
19| `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco SD-WAN Auth Log	Other	`'cisco:sdwan:syslog'`	`'/var/log/auth.log'`

Macros Used

Name	Value
cisco_sd_wan_syslog	`sourcetype=cisco:sdwan:syslog`
cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter	`search *`

cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1595	Active Scanning	Reconnaissance

Reconnaissance

DE.AE

CIS 13

CVE

CVE-2026-20127

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	No
Creates Intermediate Finding (Risk Event)	No

Hunting detections do not generate a Finding (Notable) or Intermediate Findings (Risk Events).

Implementation

This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Cisco Catalyst SD-WAN Analytics

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`/var/log/auth.log`	`cisco:sdwan:syslog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1