FZ / 2fc248b2-0829-4d0d-be9d-62b07472f709

Cisco SD-WAN Tenant List Upload from a CLI Path

Detects the Cisco SD-WAN tenant-list upload script receiving a CLI file path and VPN argument, an event observed during exploitation of CVE-2026-20245.

Sigma source

Raw YAML
title: Cisco SD-WAN Tenant List Upload from a CLI Path
id: 2fc248b2-0829-4d0d-be9d-62b07472f709
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Detects the Cisco SD-WAN tenant-list upload script receiving a CLI file path and VPN argument, an event observed during exploitation of CVE-2026-20245.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager/
logsource:
  product: linux
  service: syslog
detection:
  selection:
    message|contains|all:
      - 'vconfd_script_upload_tenant_list.sh'
      - '-cli path'
      - 'vpn'
  condition: selection
falsepositives:
  - Authorized Cisco SD-WAN tenant-list administration using a reviewed local file
level: high
tags:
  - attack.privilege-escalation
  - attack.t1068
telemetry_assumptions:
  - Cisco SD-WAN script logs are forwarded off-device and normalized into a message field.
  - Authentication, rollback, and command-history data are retained for validation.
related_publication: cisco-sd-wan-manager-zero-day-root-escalation

Published with Cisco SD-WAN Manager zero-day enabled root escalation.