Splunk

Cisco IOS XE WebUI Login From IOSd Local Port

Last updated 2 days ago on 2026-07-17

About

This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
This local port value should not appear for normal WebUI logins. So false positives should very minimal.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility="SEC_LOGIN" mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED") message_text="*[localport: 21111]*" | rex field=_raw "\[user:\s*(?<user>[^\]]+)\]" | rex field=_raw "\[Source:\s*(?<src_ip>[^\]]+)\]" | rex field=_raw "\[localport:\s*(?<local_port>[^\]]+)\]" | rex field=_raw "\[Reason:\s*(?<reason>[^\]]+)\]" | rex field=_raw "\[ACL:\s*(?<acl>[^\]]+)\]" | eval dest=coalesce(host, dvc, dest, "unknown") | stats count min(_time) as firstTime max(_time) as lastTime values(local_port) as local_port values(acl) as acl by dest user src_ip reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_webui_login_from_iosd_local_port_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).