cbcvebase.
CVE-2019-1620
published 2019-06-27

CVE-2019-1620: A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.78%
99.7th percentile
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_data_center_network_manager>= unspecified < 11.2(1)11.2(1)
ciscodata_center_network_manager
ciscodata_center_network_manager

Detection & IOCsextracted from sources · hover to see the quote

path/fm/fileUpload
path/fm/pmreport
path/fm/log/fmlogs.zip
path/fm/fmrest/about/version
cookieJSESSIONID
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; http.header_names; to_lowercase; content:"cookie|0d 0a|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:3; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_30;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; http.header_names; to_lowercase; content:!"cookie|0d 0a|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:3; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_30;)
  • Detect exploit check phase: HTTP GET to /fm/pmreport with a random token parameter returning HTTP 500, followed by HTTP GET to /fm/fileUpload returning HTTP 500, indicates a vulnerable DCNM instance being fingerprinted.
  • Detect auth bypass (CVE-2019-1619) token in GET parameter to /fm/pmreport: token format is sessionId.sysTime.base64(MD5).username — look for a structured token query parameter on that endpoint.
  • Detect WAR path disclosure abuse (CVE-2019-1622): unauthenticated HTTP GET to /fm/log/fmlogs.zip to retrieve log archive and extract Tomcat webapps deployment path from jboss*.log entries.
  • Detect WAR file upload exploitation: multipart POST to /fm/fileUpload containing form fields 'fname' (ending in .war), 'uploadDir', and a binary octet-stream part. The ET rules differentiate authenticated (Cookie header present) vs unauthenticated variants.
  • After WAR upload, attacker triggers execution by issuing an HTTP GET to the deployed app's base path (/<random_app_name>). Monitor for GET requests to short alphanumeric paths on the DCNM server shortly after a fileUpload POST.
  • Version fingerprinting via unauthenticated GET to /fm/fmrest/about/version — response body contains version string (e.g. '11.1(1)', '11.0(1)', '10.4(2)'). Monitor for unauthenticated access to this endpoint as a precursor to exploitation.
  • ·DCNM 11.0(1) requires valid credentials to exploit CVE-2019-1620; the auth bypass (CVE-2019-1619) only applies to versions 10.4(2) and below. Detection rules should account for authenticated uploads on 11.0(1).
  • ·DCNM 11.1(1) requires no authentication at all to exploit CVE-2019-1620 directly — no auth bypass chaining needed. Unauthenticated upload detections are highest priority for this version.
  • ·The Metasploit module chains three CVEs: CVE-2019-1619 (auth bypass), CVE-2019-1620 (file upload), and CVE-2019-1622 (log/info disclosure for WAR path). Full kill-chain detection requires monitoring all three exploit stages.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.