Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity

name: Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
id: 2f3862c6-45ff-4a02-9bd4-7e25c209fcd9
version: 1
date: '2026-03-09'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
description: |
    This analytic detects a exploitation activity attempts of targeting Cisco Catalyst SD-WAN Manager.
    It leverages the "serviceproxy_access.log" and identifies source-host combinations that perform all key stages of the exploitation as reported in public POCs in a short period: authentication/config collection (`.dca`), upload actions (`uploadAck`), and payload-style access (`.gz/*`).
    The behavior can indicate attempted exploitation activity associated with Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure).
data_source:
    - Cisco SD-WAN Service Proxy Access Logs
search: |-
    `cisco_sd_wan_service_proxy_access`
    | rex field=_raw "^\[.*?\]\s+\"(?<http_method>\S+)\s+(?<uri>\S+)\s+(?<http_protocol>[^\"]+)\"\s+(?<http_response_code>\S+)\s+(?<response_flags>\S+)\s+(?<bytes_in>\S+)\s+(?<bytes_out>\S+)\s+(?<duration>\S+)\s+(?<upstream_service_time>\S+)\s+\"(?<src>[^\"]+)\"\s+\"(?<http_user_agent>[^\"]+)\"\s+\"(?<x_request_id>[^\"]+)\"\s+\"(?<dest>[^\"]+)\"\s+\"(?<upstream_host>[^\"]+)\""
    | rex field=uri "(?<uri_path>[^\?]+)(?<uri_query>\?.*)?"
    | eval
        http_response_code = tonumber(http_response_code),
        bytes_in           = tonumber(bytes_in),
        bytes_out          = tonumber(bytes_out),
        duration           = tonumber(duration),
        upstream_service_time = if(upstream_service_time="-", null(), tonumber(upstream_service_time)),
        status             = http_response_code,
        bytes              = bytes_in + bytes_out,
        http_user_agent_length = len(http_user_agent)

    | search (
            (   http_method="POST"
                uri IN (
                    "*/dataservice/smartLicensing/uploadAck*"
                )
            )
            OR (
                http_method="GET"
                uri="*/reports/data/opt/data/containers/config/data-collection-agent/.dca*"
                )
            OR (uri="*.gz/*")
    )

    | eval uri_sequence_steps = case(
            match(uri, ".*/\.dca"),       "auth",
            match(uri, ".*/uploadAck"),   "upload",
            match(uri, ".*\.gz/.*"),      "payload",
            true(),                       "other"
    )

    | bin _time span=1m
    | stats
        dc(uri_sequence_steps)        as unique_uri_sequence_steps
        values(uri)                   as uri
        values(http_method)           as http_method
        values(http_user_agent)       as http_user_agent
        min(_time)                    as firstTime
        max(_time)                    as lastTime
    by src dest _time

    | where unique_uri_sequence_steps >= 3
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | sort 0 - firstTime
    | `cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity_filter`
how_to_implement: |
    This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk.
    These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log".
known_false_positives: |
    No false positives have been identified at this time.
references:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
    - https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Cisco SD-WAN Manager exploitation activity from $src$ has been identified targeting host $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Cisco Catalyst SD-WAN Analytics
    asset_type: Network
    cve:
        - CVE-2026-20122
        - CVE-2026-20128
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_sd_wan/service_proxy_access/serviceproxy_access.log
          source: /var/log/nms/containers/service-proxy/serviceproxy-access.log
          sourcetype: cisco:sdwan:access