cbcvebase.
CVE-2019-15975
published 2020-01-06

CVE-2019-15975: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
85.65%
99.7th percentile
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_data_center_network_manager>= unspecified < n/an/a
ciscodata_center_network_manager< 11.3\(1\)11.3\(1\)
ciscodata_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<target>/fm/fmrest/dbadmin/addUser
urlhttps://<target>/LogonWSService/LogonWS
urlhttps://<target>/SanWSService/SanWS
others91zEQmb305F!90a
otherafw-token
pathC:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service
otherSnort SIDs 52530 - 52547
  • Detect unauthenticated POST requests to /fm/fmrest/dbadmin/addUser with a crafted 'afw-token' header — this is the auth bypass endpoint used to add a global-admin account without prior authentication.
  • The exploit forges an AES-CBC encrypted token using the hardcoded key 's91zEQmb305F!90a' with a zero IV and the prefix 'Source Incite'. Detecting this token pattern in the 'afw-token' HTTP header is a strong indicator of exploitation.
  • Alert on POST requests to /LogonWSService/LogonWS SOAP endpoint immediately followed by requests to /fm/fmrest/dbadmin/addUser from the same source IP — this sequence indicates the two-stage auth bypass and admin account creation.
  • Use Cisco Talos Snort SIDs 52530–52547 to detect exploitation attempts against CVE-2019-15975, CVE-2019-15976, and CVE-2019-15977 in Cisco DCNM.
  • ·The AES encryption uses a hardcoded key and a zero IV; the token also embeds the server's current time (leaked via the HTTP Date response header). The exploit loops to handle a race condition in InheritableThreadLocal.childValue, meaning multiple rapid requests to the auth bypass endpoint may be observed before a successful bypass.
  • ·There are no workarounds available for these vulnerabilities; only vendor-supplied software updates address CVE-2019-15975.
  • ·A public Proof of Concept and a Metasploit module exist for this vulnerability, significantly lowering the bar for exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.