| URL |
/dataservice/disasterrecovery/download/token |
REST API endpoint potentially targeted in Cisco SD-WAN vManage authentication bypass or information disclosure attempts |
medium |
| URL |
/dataservice/client/server |
vManage REST API endpoint commonly probed during reconnaissance against Cisco SD-WAN infrastructure |
medium |
| URL |
/dataservice/ |
Base path for vManage REST API; unusual or unauthenticated access patterns to this path may indicate exploitation attempts |
medium |
| FILE_PATH |
/opt/csm/web/assets/ |
vManage web application asset directory; unexpected file creation here may indicate webshell deployment post-exploitation |
medium |
| FILE_PATH |
/opt/csm/web/server/ |
vManage server-side application directory; unauthorized modifications may indicate persistent access |
medium |
| FILE_PATH |
/var/log/nms/vmanage-server.log |
Primary vManage application log file; should be monitored for anomalous API call patterns, authentication failures, or error spikes |
high |
| FILE_PATH |
/var/log/nms/vmanage-aaa.log |
vManage AAA authentication log; critical for detecting unauthorized access attempts and authentication bypass activity |
high |
| FILE_PATH |
/etc/cron.d/ |
Cron directory on vManage appliance; attackers may install persistence mechanisms here following exploitation |
medium |
| FILE_PATH |
/tmp/ |
Suspicious when vManage processes write executable files or scripts to /tmp/ outside of documented upgrade/patch procedures, as this directory is not part of legitimate application staging; legitimate operations use versioned directories under /opt/vmanage/ instead, so detect unexpected file creation, modification timestamps correlating with process execution anomalies, or presence of .sh/.py/.elf files in /tmp/ without corresponding maintenance tickets. |
medium |
| REGISTRY_KEY |
N/A - Linux-based appliance |
Cisco vManage runs on a Linux-based OS; registry keys are not applicable. Focus on filesystem and process monitoring instead. |
high |
| FILE_PATH |
/home/admin/.ssh/authorized_keys |
SSH authorized keys file for admin account; attackers may add unauthorized public keys to maintain persistent SSH access |
high |
| URL |
/dataservice/settings/configuration/ |
Configuration API endpoint; unauthorized access may indicate attempt to extract or modify SD-WAN configuration data |
medium |
| URL |
/dataservice/template/ |
Template management API endpoint; exploitation could allow unauthorized template modification affecting WAN policy |
medium |
| FILE_PATH |
/usr/share/java/vmanage/ |
vManage Java application directory; unexpected JAR files or modifications may indicate supply chain or post-exploitation tampering |
medium |
| URL |
/dataservice/admin/user |
User management API endpoint; unauthorized calls to create or modify users may indicate privilege escalation following exploitation |
high |
