cbcvebase.
CVE-2001-0537
published 2001-07-21

CVE-2001-0537: HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
68.45%
99.2th percentile
HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.

Affected

91 ranges· showing 25
VendorProductVersion rangeFixed in
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios
ciscoios

Detection & IOCsextracted from sources · hover to see the quote

url/level/16/exec/show/config/CR
url/level/$NUMBER/exec/...
commandGET /level/16/exec/show%20conf HTTP/1.0
commandGET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0
  • Detect HTTP GET requests to paths matching /level/<16-99>/exec/ on port 80 targeting Cisco IOS devices; any integer between 16 and 99 in the level field indicates an exploitation attempt.
  • HTTP response body containing 'service config', 'Switch', and 'default-gateway' together on a /level/*/exec/ request confirms successful authentication bypass and config disclosure.
  • HTTP 200 response to /level/<16-99>/exec/ requests (without valid credentials) on Cisco IOS HTTP server indicates the device is vulnerable and the bypass succeeded.
  • Shodan queries can identify exposed vulnerable Cisco IOS HTTP config servers: search for product:"Cisco IOS http config" with status 200.
  • Bulk scanning tools iterate over /level/16 through /level/99 paths; network logs showing sequential requests across this range from a single source IP indicate active exploitation scanning.
  • ·The vulnerability only affects Cisco IOS devices where local HTTP authorization is enabled; devices not running the IOS HTTP server are not affected.
  • ·Affected IOS versions span 11.3 through 12.2; the Metasploit module was confirmed to work against a Cisco 1600 Router running IOS v11.3(11d).

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.