CVE-2018-0432 — OS Command Injection in Cisco Vedge 1000 Firmware

CWE-264 CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Vedge 1000 Firmware Cisco Vedge 100 Firmware Cisco Vedge 2000 Firmware +2 more

Timeline

PublishedOct 5

Latest updateMay 13

Description

A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the error reporting application configuration. An attacker could exploit this vulnerability by sending a crafted command to the error reporting feature. A successful exploit could allow the attacker to gain root-level privileges and …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5cisco/cisco_sd-wan_solutionn/a

▶NVDcisco/vedge_100_firmware< 18.3.0

▶NVDcisco/vedge_1000_firmware< 18.3.0

▶NVDcisco/vedge_2000_firmware< 18.3.0

▶NVDcisco/vedge_5000_firmware< 18.3.0

🔴Vulnerability Details

GHSA

GHSA-7jp6-h3hx-67f6: A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges↗2022-05-13

▶

CVEList

Cisco SD-WAN Solution Privilege Escalation Vulnerability↗2018-10-05

▶

📋Vendor Advisories

Cisco

Cisco SD-WAN Solution Privilege Escalation Vulnerability↗2018-09-05

▶