EXPLORE
← Back to Explore
splunk_escuHunting

Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication

This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.

Detection Query

`cisco_sd_wan_syslog`
"Accepted publickey"
| rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
| where user="vmanage-admin"
| bin event_timestamp span=2m
| stats dc(src) as unique_src_ips
        values(src) as src_ips
        values(user) as users
  count as auth_count by event_timestamp dest
| where unique_src_ips >= 2
| sort 0 - unique_src_ips
| `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`

Author

Teoderick Contreras, Splunk

Data Sources

Cisco SD-WAN Auth Log
Raw Content
name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4
version: 1
creation_date: '2026-06-09'
modification_date: '2026-06-09'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
description: |-
    This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window.
    This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs.
    Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.
data_source:
    - Cisco SD-WAN Auth Log
search: |-
    `cisco_sd_wan_syslog`
    "Accepted publickey"
    | rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
    | where user="vmanage-admin"
    | bin event_timestamp span=2m
    | stats dc(src) as unique_src_ips
            values(src) as src_ips
            values(user) as users
      count as auth_count by event_timestamp dest
    | where unique_src_ips >= 2
    | sort 0 - unique_src_ips
    | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`
how_to_implement: |
    This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk.
known_false_positives: |
    No false positives have been identified at this time.
references:
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
analytic_story:
    - Cisco Catalyst SD-WAN Analytics
asset_type: Network
cve:
    - CVE-2026-20127
mitre_attack_id:
    - T1595
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
          source: /var/log/auth.log
          sourcetype: cisco:sdwan:syslog
      test_type: unit