FZ / 2fc248b2-0829-4d0d-be9d-62b07472f709
Cisco SD-WAN Tenant List Upload from a CLI Path
Detects the Cisco SD-WAN tenant-list upload script receiving a CLI file path and VPN argument, an event observed during exploitation of CVE-2026-20245.
Sigma source
Raw YAMLtitle: Cisco SD-WAN Tenant List Upload from a CLI Path
id: 2fc248b2-0829-4d0d-be9d-62b07472f709
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Detects the Cisco SD-WAN tenant-list upload script receiving a CLI file path and VPN argument, an event observed during exploitation of CVE-2026-20245.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager/
logsource:
product: linux
service: syslog
detection:
selection:
message|contains|all:
- 'vconfd_script_upload_tenant_list.sh'
- '-cli path'
- 'vpn'
condition: selection
falsepositives:
- Authorized Cisco SD-WAN tenant-list administration using a reviewed local file
level: high
tags:
- attack.privilege-escalation
- attack.t1068
telemetry_assumptions:
- Cisco SD-WAN script logs are forwarded off-device and normalized into a message field.
- Authentication, rollback, and command-history data are retained for validation.
related_publication: cisco-sd-wan-manager-zero-day-root-escalation
Published with Cisco SD-WAN Manager zero-day enabled root escalation.