cbcvebase.
CVE-2017-3853
published 2017-03-22

CVE-2017-3853: A vulnerability in the Data-in-Motion (DMo) process installed with the Cisco IOx application environment could allow an unauthenticated, remote attacker to…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.71%
94.5th percentile
A vulnerability in the Data-in-Motion (DMo) process installed with the Cisco IOx application environment could allow an unauthenticated, remote attacker to cause a stack overflow that could allow remote code execution with root privileges in the virtual instance running on an affected device. The vulnerability is due to insufficient bounds checking in the DMo process. An attacker could exploit this vulnerability by sending crafted packets that are forwarded to the DMo process for evaluation. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx. This vulnerability affects the following Cisco 800 Series Industrial Integrated Services Routers: Cisco IR809 and Cisco IR829. Cisco IOx Releases 1.0.0.0 and 1.1.0.0 are vulnerable. Cisco Bug IDs: CSCuy52330.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscoiox
ciscoiox
ciscoiox_data_in_motion

Detection & IOCsextracted from sources · hover to see the quote

  • Detect crafted packets forwarded to the DMo (Data-in-Motion) process within the Cisco IOx application environment, which may indicate exploitation of the stack overflow vulnerability
  • Focus detection scope on the virtual instance running on Cisco IR809 and IR829 devices running Cisco IOx Releases 1.0.0.0 or 1.1.0.0, as these are the confirmed vulnerable targets
  • Monitor for stack overflow indicators (e.g., abnormal process crashes or restarts) specifically in the DMo process within the IOx virtual instance, as successful exploitation grants root privileges within that instance
  • ·Exploitation impact is contained to the IOx virtual instance and does not affect the host router itself; detection and triage should be scoped accordingly
  • ·No workarounds exist for this vulnerability; patching to a fixed Cisco IOx release is the only mitigation

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.