CVE-2001-0537
published 2001-07-21CVE-2001-0537: HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
68.45%
99.2th percentile
HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.
Affected
91 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
| cisco | ios | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to paths matching /level/<16-99>/exec/ on port 80 targeting Cisco IOS devices; any integer between 16 and 99 in the level field indicates an exploitation attempt. ↗
- →HTTP response body containing 'service config', 'Switch', and 'default-gateway' together on a /level/*/exec/ request confirms successful authentication bypass and config disclosure. ↗
- →HTTP 200 response to /level/<16-99>/exec/ requests (without valid credentials) on Cisco IOS HTTP server indicates the device is vulnerable and the bypass succeeded. ↗
- →Shodan queries can identify exposed vulnerable Cisco IOS HTTP config servers: search for product:"Cisco IOS http config" with status 200. ↗
- →Bulk scanning tools iterate over /level/16 through /level/99 paths; network logs showing sequential requests across this range from a single source IP indicate active exploitation scanning. ↗
- ·The vulnerability only affects Cisco IOS devices where local HTTP authorization is enabled; devices not running the IOS HTTP server are not affected. ↗
- ·Affected IOS versions span 11.3 through 12.2; the Metasploit module was confirmed to work against a Cisco 1600 Router running IOS v11.3(11d). ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3m99-vrqx-m6h7: HTTP server for Cisco IOS 11
ghsa_unreviewed·2022-04-30
CVE-2001-0537 [HIGH] CWE-287 GHSA-3m99-vrqx-m6h7: HTTP server for Cisco IOS 11
HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.
VulnCheck
Cisco IOS Software Improper Authentication
vulncheck·2001·CVSS 9.3
CVE-2001-0537 [CRITICAL] Cisco IOS Software Improper Authentication
Cisco IOS Software Improper Authentication
HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.
Affected: Cisco IOS Software
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2001-0537; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2001-0537; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=20
Cisco
IOS HTTP Authorization Vulnerability
vendor_cisco·2001-06-27
CVE-2001-0537 CWE-287 IOS HTTP Authorization Vulnerability
IOS HTTP Authorization Vulnerability
When the HTTP server is enabled and local authorization is used, it is
possible, under some circumstances, to bypass the authentication and execute
any command on the device. In that case, the user will be able to exercise
complete control over the device. All commands will be executed with the
highest privilege (level 15).
All releases of Cisco IOS�� software, starting with release 11.3 and
later, are vulnerable. Virtually all mainstream Cisco routers and switches
running Cisco IOS software are affected by this vulnerability.
Products that are not running Cisco IOS software are not vulnerable.
The workaround for this vulnerability is to disable HTTP server on the
router or to use Terminal Access Controller Access Control System (TACACS+) or
Radius
Cisco
IOS HTTP Authorization Vulnerability
vendor_cisco
CVE-2001-0537 IOS HTTP Authorization Vulnerability
CVE-2001-0537: IOS HTTP Authorization Vulnerability
When the HTTP server is enabled and local authorization is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device. In that case, the user will be able to exercise complete control over the device. All commands will be executed with the highest privilege (level 15). All releases of Cisco IOS?? software, starting with release 11.3 and later, are vulnerable. Virtually all mainstream Cisco routers and switches running Cisco IOS software are affected by this vulnerability. Products that are not running Cisco IOS software are not vulnerable. The workaround for this vulnerability is to disable HTTP server on the router or to use Terminal Access Controller Access Control System (TACACS+)
No detection rules found.
Exploit-DB
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (4)
exploitdb·2001-06-27
CVE-2001-0537 Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (4)
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (4)
---
# source: https://www.securityfocus.com/bid/2936/info
#
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
#
#!/usr/bin/perl
##
# Cisco Global Exploiter
#
# Lega
Exploit-DB
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (2)
exploitdb·2001-06-27
CVE-2001-0537 Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (2)
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (2)
---
/*
source: https://www.securityfocus.com/bid/2936/info
IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
*/
/* Coded and backdored by Eliel C. Sardanons
* to compile:
*
Exploit-DB
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (1)
exploitdb·2001-06-27
CVE-2001-0537 Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (1)
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (1)
---
# source: https://www.securityfocus.com/bid/2936/info
#
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
#
#!/usr/bin/perl
# modified roelof's uni.pl
# to check
Exploit-DB
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (3)
exploitdb·2001-03-07
CVE-2001-0537 Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (3)
Cisco IOS 11.x/12.x - HTTP Configuration Arbitrary Administrative Access (3)
---
# source: https://www.securityfocus.com/bid/2936/info
#
# IOS is router firmware developed and distributed by Cisco Systems. IOS functions on numerous Cisco devices, including routers and switches.
#
# It is possible to gain full remote administrative access on devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.
#
# This problem makes it possible for a remote user to gain full administrative privileges, which may lead to further compromise of the network or result in a denial of service.
#
#!/usr/bin/perl
#
# Bulk Scanner for the Cisco IOS HT
Metasploit
Cisco IOS HTTP Unauthorized Administrative Access
metasploit
Cisco IOS HTTP Unauthorized Administrative Access
Cisco IOS HTTP Unauthorized Administrative Access
This module exploits a vulnerability in the Cisco IOS HTTP Server. By sending a GET request for "/level/num/exec/..", where num is between 16 and 99, it is possible to bypass authentication and obtain full system control. IOS 11.3 -> 12.2 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.3(11d).
Nuclei
Cisco IOS HTTP Configuration - Authentication Bypass
nuclei·CVSS 9.3
CVE-2001-0537 [CRITICAL] Cisco IOS HTTP Configuration - Authentication Bypass
Cisco IOS HTTP Configuration - Authentication Bypass
HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.
Template:
id: CVE-2001-0537
info:
name: Cisco IOS HTTP Configuration - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
HTTP server for Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands, when local authorization is being used, by specifying a high access level in the URL.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access to the affected device.
remediation: |
Apply the appropriate patch or upgrade to a fixed version of the Cisc
No writeups or analysis indexed.
http://www.cert.org/advisories/CA-2001-14.htmlhttp://www.ciac.org/ciac/bulletins/l-106.shtmlhttp://www.cisco.com/warp/public/707/IOS-httplevel-pub.htmlhttp://www.osvdb.org/578http://www.securityfocus.com/archive/1/1601227034.20010702112207%40olympos.orghttp://www.securityfocus.com/archive/1/20010703011650.60515.qmail%40web14910.mail.yahoo.comhttp://www.securityfocus.com/archive/1/4.3.2.7.2.20010629095801.0c3e6a70%40brussels.cisco.comhttp://www.securityfocus.com/archive/1/Pine.LNX.3.96.1010702134611.22995B-100000%40Lib-Vai.lib.asu.eduhttp://www.securityfocus.com/bid/2936https://exchange.xforce.ibmcloud.com/vulnerabilities/6749http://www.cert.org/advisories/CA-2001-14.htmlhttp://www.ciac.org/ciac/bulletins/l-106.shtmlhttp://www.cisco.com/warp/public/707/IOS-httplevel-pub.htmlhttp://www.osvdb.org/578http://www.securityfocus.com/archive/1/1601227034.20010702112207%40olympos.orghttp://www.securityfocus.com/archive/1/20010703011650.60515.qmail%40web14910.mail.yahoo.comhttp://www.securityfocus.com/archive/1/4.3.2.7.2.20010629095801.0c3e6a70%40brussels.cisco.comhttp://www.securityfocus.com/archive/1/Pine.LNX.3.96.1010702134611.22995B-100000%40Lib-Vai.lib.asu.eduhttp://www.securityfocus.com/bid/2936https://exchange.xforce.ibmcloud.com/vulnerabilities/6749
2001-07-21
Published
Exploited in the wild