CVE-2019-1654Missing Authentication for Critical Function in Cisco Aironet Access Point Software

CWE-255CWE-306Missing Authentication for Critical Function4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 57.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Aironet Access Point SoftwareCisco Ap-cos
Timeline
PublishedApr 17
Latest updateMay 13

Description

A vulnerability in the development shell (devshell) authentication for Cisco Aironet Series Access Points (APs) running the Cisco AP-COS operating system could allow an authenticated, local attacker to access the development shell without proper authentication, which allows for root access to the underlying Linux OS. The attacker would need valid device credentials. The vulnerability exists because the software improperly validates user-supplied input at the CLI authentication prompt for develop

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5cisco/cisco_aironet_access_point_softwareunspecified8.3.150.0
NVDcisco/ap-cos8.4.100.08.5.135.0+2

🔴Vulnerability Details

2
GHSA
GHSA-7r57-xw66-r525: A vulnerability in the development shell (devshell) authentication for Cisco Aironet Series Access Points (APs) running the Cisco AP-COS operating sys2022-05-13
CVEList
Cisco Aironet Series Access Points Development Shell Access Vulnerability2019-04-17

📋Vendor Advisories

1
Cisco
Cisco Aironet Series Access Points Development Shell Access Vulnerability2019-04-17
CVE-2019-1654 — Cisco vulnerability | cvebase