CVE-2019-12643
published 2019-08-28CVE-2019-12643: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass…
PriorityP272critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EPSS
5.32%
91.6th percentile
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated separately on IOS XE devices. See the Details section for more information.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_ios_xe_software | >= unspecified < 16.09.03 | 16.09.03 |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | rest | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; to_lowercase; content:"|0d 0a|x-auth-token|0d 0a|"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:3; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Check if the Cisco REST API virtual service container is installed and enabled by running 'show virtual-service detail | include Restful' — presence of 'Enabled, UP port: 55443' confirms exposure. ↗
- →Identify the installed virtual service container name and version with 'show virtual-service version installed' to determine if a vulnerable version is present. ↗
- →Vulnerable container names are 'mgmt' and 'csr_mgmt'; flag any device where these containers are at affected versions (e.g., 1.5.1, 1.6.1, 1.7.1, 1.7.2, 1.8.1, 162.1, 99.99.99 for mgmt; 03.16.03, 03.16.04, 1.0.0–1.8.1, 162.1, 163.1, 2017.6, 2017.10, 99.99.99 for csr_mgmt). ↗
- →Network scan for Cisco IOS devices with port 55443 open to identify potentially exposed REST API endpoints. ↗
- →The ET Snort rule (SID 2035012) detects exploitation by tracking HTTP GET requests to port 55443 carrying the 'x-auth-token' header after an initial bypass attempt (xbits tracking via ET.Cisco_ABypass on the IP pair).
- →Exploitation requires an authenticated level-15 administrator session to be active on the REST API interface at the time of attack; monitor for concurrent admin sessions alongside anomalous REST API calls. ↗
- ·The REST API virtual service container is NOT enabled by default; devices are only vulnerable if the container has been explicitly installed and activated. ↗
- ·Exploitation additionally requires that a level-15 authenticated admin session is active on the REST API at the time of the attack — opportunistic exploitation without a live admin session is not possible. ↗
- ·If 'show virtual-service detail | include Restful' produces no output or the string 'Enabled, UP' is absent, the device is not affected. ↗
- ·Cisco also released a hardened IOS XE Software release that prevents installation or activation of a vulnerable container entirely, as an alternative mitigation path. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9j8q-456x-95cx: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass au
ghsa_unreviewed·2022-05-24
CVE-2019-12643 [CRITICAL] CWE-287 GHSA-9j8q-456x-95cx: A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass au
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device. The REST API interface is not enabled by default and must be installed and activated sep
Cisco
Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
vendor_cisco·2019-08-28·CVSS 10.0
CVE-2019-12643 [CRITICAL] CWE-287 Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device.
The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE device.
The RE
Cisco
Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
vendor_cisco·CVSS 3.0
CVE-2019-12643 Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
CVE-2019-12643: Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API authentication service. An attacker could exploit this vulnerability by submitting malicious HTTP requests to the targeted device. A successful exploit could allow the attacker to obtain the token-id of an authenticated user. This token-id could be used to bypass authentication and execute privileged actions through the interface of the REST API virtual service container on the affected Cisco IOS XE
Suricata
ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)
suricata·2022-01-28·CVSS 10.0
CVE-2019-12643 [CRITICAL] ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)
ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; to_lowercase; content:"|0d 0a|x-auth-token|0d 0a|"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:3; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_25, mitre_tactic_id TA0001, mitre_
Suricata
ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)
suricata·2022-01-28·CVSS 10.0
CVE-2019-12643 [CRITICAL] ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)
ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] 55443 -> any any (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)"; flow:established,to_client; flowbits:isset,ET.Cisco_ABypass; http.stat_code; content:"200"; file.data; content:"|5b 7b 22|last-access-time|22 3a|"; fast_pattern; content:"|22|token-id|22 3a 20 22|"; within:200; pcre:"/^[a-zA-Z0-9]{5,40}/R"; xbits:set,ET.Cisco_ABypass,track ip_pair,expire 60; reference:cve,2019-12643; classtype:successful-admin; sid:2035011; rev:3; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signatur
Suricata
ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)
suricata·2022-01-28·CVSS 10.0
CVE-2019-12643 [CRITICAL] ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)
ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)
Rule: alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)"; flow:established,to_server; flowbits:set,ET.Cisco_ABypass; http.request_line; content:"GET /api/v1/auth/token-services/debug HTTP/1.1"; nocase; fast_pattern; http.accept; bsize:16; content:"application/json"; reference:cve,2019-12643; classtype:attempted-admin; sid:2035010; rev:4; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_04, mitr
No public exploits indexed.
Checkpoint
2nd September – Threat Intelligence Bulletin
blogs_checkpoint·2019-09-02
CVE-2019-12643 2nd September – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd September – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 2nd September 2019, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
A broad campaign of iPhone hacking has been revealed . For at least two years, attackers have been using compromised websites and exploiting 14 separate vulnerabilities in Apple’s iOS to install spyware on thousands of Apple devices innocently visiting websites. Attackers gained access to location data, photos, c
Qualys
Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability – (CVE-2019-12643)
blogs_qualys·2019-08-29·CVSS 10.0
CVE-2019-12643 [CRITICAL] Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability – (CVE-2019-12643)
Cisco published an update for Cisco IOS XE operating system to patch a critical vulnerability that could allow a remote attacker to bypass authentication on devices running an outdated version of Cisco REST API virtual service container.
The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.
## The Vulnerability
This vulnerability exists in Cisco REST API virtual service container for Cisco IOS XE Software . Exploitation only requires malicious HTTP requests to the targeted device, that could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE devices.
This vulnerability resides in the Cisco REST API virtual service container, however, it affects devices running C
Qualys
Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability – (CVE-2019-12643) | Qualys
blogs_qualys·2019-08-29·CVSS 10.0
CVE-2019-12643 [CRITICAL] Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability – (CVE-2019-12643) | Qualys
Cisco published an update for Cisco IOS XE operating system to patch a critical vulnerability that could allow a remote attacker to bypass authentication on devices running an outdated version of Cisco REST API virtual service container.
The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.
### The Vulnerability
This vulnerability exists in Cisco REST API virtual service container for Cisco IOS XE Software. Exploitation only requires malicious HTTP requests to the targeted device, that could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE devices.
This vulnerability resides in the Cisco REST API virtual service container, however, it affects devices running C
Tenable
CVE-2019-12643: Critical Authentication Bypass Vulnerability in REST API Container for Cisco IOS XE
blogs_tenable·2019-08-29·CVSS 10.0
[CRITICAL] CVE-2019-12643: Critical Authentication Bypass Vulnerability in REST API Container for Cisco IOS XE
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2019-08-28
Published