cbcvebase.
CVE-2017-12243
published 2017-11-02

CVE-2017-12243: A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300…

PriorityP268high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.07%
99.5th percentile
A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device, aka Command Injection. The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device. Cisco Bug IDs: CSCvf20741, CSCvf60078.

Affected

1 ranges
VendorProductVersion rangeFixed in
ciscoucs_manager_cisco_firepower_4100_series_ngfw_and_cisco_firepower_9300_security_a

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#
urlhttps://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#
urlhttp://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1
urlhttps://IP/settings/ping?ping_num=1%3buname+-a%3b#&ping_ip_addr=127.0.0.1
path/settings/ping
  • Monitor HTTP/HTTPS GET requests to the /settings/ping endpoint containing URL-encoded shell metacharacters (e.g., %3b, %3B — semicolons) in the ping_ip_addr or ping_num parameters, indicating command injection attempts.
  • Detect SSH sessions to Cisco UCS Platform Emulator (default credentials ucspe/ucspe) issuing 'show sel %x' or format-string payloads (e.g., 'show sel %62c%28$n'), which indicate exploitation of the format string vulnerability.
  • Alert on SSH login attempts using the default credentials ucspe/ucspe to Cisco UCS Platform Emulator devices, as these are the default credentials leveraged in the authenticated RCE exploit chain.
  • Look for processes spawned as uid=0(root) from the UCS Manager shell application or SSH session, particularly following 'show sel' commands, as successful exploitation results in root shell access.
  • ·The unauthenticated HTTP command injection vector targets Cisco UCS Platform Emulator 3.1(2ePE1) specifically; the CVE as filed by Cisco covers authenticated local command injection on UCS Manager, Firepower 4100, and Firepower 9300 — the exploit-db PoC may represent a broader or emulator-specific attack surface.
  • ·The Cisco advisory describes the vulnerability as requiring an authenticated, local attacker; however, the exploit-db PoC demonstrates unauthenticated remote exploitation via the /settings/ping HTTP endpoint on the emulator, suggesting the emulator exposes a wider attack surface than production hardware.
  • ·Cisco Bug IDs CSCvf20741 and CSCvf60078 track this vulnerability; patch status should be verified against both IDs for UCS Manager and Firepower platforms respectively.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.