← Back to Explore
splunk_escuHunting
Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.
Detection Query
`cisco_sd_wan_syslog`
"Accepted publickey"
| rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
| where user="vmanage-admin"
| bin event_timestamp span=2m
| stats dc(src) as unique_src_ips
values(src) as src_ips
values(user) as users
count as auth_count by event_timestamp dest
| where unique_src_ips >= 2
| sort 0 - unique_src_ips
| `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`Author
Teoderick Contreras, Splunk
Data Sources
Cisco SD-WAN Auth Log
Raw Content
name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4
version: 1
creation_date: '2026-06-09'
modification_date: '2026-06-09'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
description: |-
This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window.
This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs.
Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.
data_source:
- Cisco SD-WAN Auth Log
search: |-
`cisco_sd_wan_syslog`
"Accepted publickey"
| rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
| where user="vmanage-admin"
| bin event_timestamp span=2m
| stats dc(src) as unique_src_ips
values(src) as src_ips
values(user) as users
count as auth_count by event_timestamp dest
| where unique_src_ips >= 2
| sort 0 - unique_src_ips
| `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`
how_to_implement: |
This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk.
known_false_positives: |
No false positives have been identified at this time.
references:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
analytic_story:
- Cisco Catalyst SD-WAN Analytics
asset_type: Network
cve:
- CVE-2026-20127
mitre_attack_id:
- T1595
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: application
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
source: /var/log/auth.log
sourcetype: cisco:sdwan:syslog
test_type: unit