cbcvebase.
CVE-2019-1624
published 2019-06-20

CVE-2019-1624: A vulnerability in the vManage web-based UI (Web UI) in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands…

PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
4.33%
90.0th percentile
A vulnerability in the vManage web-based UI (Web UI) in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the vManage Web UI. A successful exploit could allow the attacker to execute commands with root privileges.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_sd-wan_solution>= unspecified < 18.4.018.4.0
ciscosd-wan< 18.4.018.4.0
ciscosd-wan_solution

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the vManage Web UI input handling; monitor for crafted/anomalous input submitted to the vManage Web UI by authenticated users that may contain command injection payloads (e.g., shell metacharacters in form fields).
  • Successful exploitation results in commands executed with root privileges; alert on unexpected root-level process spawning from the vManage web application process.
  • ·Exploitation requires prior authentication to the vManage device; scope detection efforts to authenticated sessions and monitor for privilege escalation post-login.
  • ·Multiple Cisco bug IDs are associated with this CVE (CSCvi46909, CSCvi59723, CSCvi59724), suggesting the injection surface may span more than one component of the SD-WAN solution.
  • ·No workarounds are available; patching is the only mitigation. Ensure vManage instances are updated to a fixed software version.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.