cbcvebase.
CVE-2019-15976
published 2020-01-06

CVE-2019-15976: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
92.84%
99.8th percentile
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_data_center_network_manager>= unspecified < n/an/a
ciscodata_center_network_manager< 11.3\(1\)11.3\(1\)
ciscodata_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<target>/j_spring_security_check
urlhttps://<target>/ReportWSService/ReportWS
urlhttps://<target>/DbInventoryWSService/DbInventoryWS
urlhttps://<target>/serverinfo/HtmlAdaptor?action=displayServerInfos
urlhttps://<target>/DbAdminWSService/DbAdminWS
path/DbAdminWSService/DbAdminWS
path../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/<vfs>/si.jsp
filenamesi.jsp
hashe50f8a6b2b3b014ec022fe40fabcb6d5
otherSnort SIDs: 52530 - 52547
commandupdate xmldocs set document_name='<path>',content=decode('<hex>','hex') where user_name='1337';
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:""; content:""; content:""; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:2; metadata:created_at 2021_07_24, cve CVE_2019_15976, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • The auth bypass forges an SSO token using a hardcoded static secret string embedded in the DCNM application. Detect SOAP requests containing this token pattern (sessionid.timestamp.base64md5.username) to unauthenticated endpoints.
  • Monitor for unauthenticated POST requests to /DbAdminWSService/DbAdminWS containing SOAP body elements for user creation (global-admin role assignment) — a key step in the exploit chain.
  • Monitor for POST requests to /DbInventoryWSService/DbInventoryWS with SQL stacked injection payloads (semicolon-prefixed SQL followed by --) in the SOAP body.
  • Detect directory traversal sequences (../../../../) in SOAP body content sent to /ReportWSService/ReportWS, used to write a JSP webshell outside the intended report directory.
  • Alert on HTTP GET requests to /si.jsp on DCNM servers, which indicates the JSP reverse shell has been written and is being triggered.
  • Monitor for access to /serverinfo/HtmlAdaptor?action=displayServerInfos using HTTP Basic Auth, used by the exploit to leak the VFS temp path needed for webshell placement.
  • The exploit uses a fixed timestamp value of 9999999999999 in the forged SSO token; detecting this specific timestamp in SOAP authentication headers is a high-fidelity indicator.
  • The JSESSIONID and resttoken cookie pattern (JSESSIONID=<56 chars>; resttoken=<digits>:<44 chars>) in responses to /j_spring_security_check can indicate successful auth bypass and session establishment.
  • ·The hardcoded static secret used to forge SSO tokens is baked into the DCNM application itself (CWE-798: Use of Hard-coded Credentials). The exploit does not require valid credentials — the username and session ID in the token do not need to exist on the target system.
  • ·The exploit was tested and confirmed working against Cisco DCNM 11.2.1 Installer for Windows (64-bit), Release 11.2(1), dated 18-Jun-2019. Other versions may be affected but were not confirmed in this PoC.
  • ·This exploit chains CVE-2019-15976 (auth bypass) with CVE-2019-15984 (SQL injection) for full RCE. Detection or patching of only one CVE may not prevent the full attack chain.
  • ·Cisco confirmed there are no workarounds for these authentication bypass vulnerabilities; only software updates address them.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.