cbcvebase.
CVE-2017-6640
published 2017-06-08

CVE-2017-6640: A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.72%
95.3th percentile
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server. This vulnerability affects Cisco Prime Data Center Network Manager (DCNM) Software releases prior to Release 10.2(1) for Microsoft Windows, Linux, and Virtual Appliance platforms. Cisco Bug IDs: CSCvd95346.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager
ciscoprime_data_center_network_manager_server_static_credential

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://172.26.24.15/Upload?svc=upload&maxFileSize=100000&tacCaseID=../../../../Program%20Files/Cisco%20Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments
path../../../../Program Files/Cisco Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments
path/Upload
filenamewebshell.war
filenamedcnmweb.war
commandcurl -k -F 'data=@/tmp/webshell.war' "https://172.26.24.15/Upload?svc=upload&maxFileSize=100000&tacCaseID=../../../../Program%20Files/Cisco%20Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments"
  • Monitor HTTP requests to the /Upload endpoint with the 'svc=upload' parameter and path traversal sequences (e.g., '../') in the 'tacCaseID' parameter, which is the exploitation vector for the XmpFileUploadServlet path traversal.
  • Detect unauthenticated access attempts to the Cisco DCNM administrative console using default static credentials — the default user account is created automatically at install time.
  • Alert on .war file uploads to the DCNM server's JBoss deployments directory, particularly via the XmpFileUploadServlet class, as this is the mechanism for achieving RCE via webshell deployment.
  • Inspect for new files appearing under the JBoss standalone deployments path: Program Files/Cisco Systems/dcm/jboss-as-7.2.0.Final/standalone/sandeployments
  • ·The path traversal PoC targets a specific JBoss deployment path on Windows. The deployment path may differ on Linux and Virtual Appliance platforms.
  • ·The related path traversal vulnerability (XmpFileUploadServlet) also affects Cisco Prime Infrastructure, but requires authentication first in that product — unlike DCNM where it is unauthenticated.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.