cbcvebase.
CVE-2019-1912
published 2019-08-07

CVE-2019-1912: A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload…

PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
17.04%
96.7th percentile
A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files. The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell. This vulnerability affects Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 with the web management interface enabled. The web management interface is enabled via both HTTP and HTTPS by default.

Affected

13 ranges
VendorProductVersion rangeFixed in
ciscocisco_small_business_220_series_smart_plus_switches>= unspecified < 1.1.4.41.1.4.4
ciscosf-220-24_firmware< 1.1.4.41.1.4.4
ciscosf220-24p_firmware< 1.1.4.41.1.4.4
ciscosf220-48_firmware< 1.1.4.41.1.4.4
ciscosf220-48p_firmware< 1.1.4.41.1.4.4
ciscosg220-26_firmware< 1.1.4.41.1.4.4
ciscosg220-26p_firmware< 1.1.4.41.1.4.4
ciscosg220-28_firmware< 1.1.4.41.1.4.4
ciscosg220-28mp_firmware< 1.1.4.41.1.4.4
ciscosg220-50_firmware< 1.1.4.41.1.4.4
ciscosg220-50p_firmware< 1.1.4.41.1.4.4
ciscosg220-52_firmware< 1.1.4.41.1.4.4
ciscosmall_business_220_series_smart_switches

Detection & IOCsextracted from sources · hover to see the quote

otherETag: 225-51973 (Cisco Systems, Inc. Sx220 v1.1.3.1)
otherETag: 225-60080 (Cisco Systems, Inc. Sx220 v1.1.4.1)
sigma
Snort SIDs: 51293, 51294, 51295, 51298, 51299, 51300, 51306, 51307
  • Exploit targets specific URI paths in the web management interface of Cisco Small Business 220 Series switches; monitor for unauthenticated HTTP/HTTPS POST requests to management interface endpoints that include file upload payloads.
  • Fingerprint vulnerable Cisco Sx220 targets via HTTP ETag header values 225-51973 (v1.1.3.1) and 225-60080 (v1.1.4.1); the PoC uses static ETag values to uniquely identify remote targets before exploitation.
  • Successful exploitation may result in reverse shell injection; monitor for unexpected outbound connections from Cisco Small Business 220 Series switches, particularly MIPS Big Endian shellcode activity.
  • The PoC exploit uses ASLR disabling via CMD injection on the stack before shellcode execution; detect command injection attempts targeting the switch web interface.
  • Unauthorized 'running-config' updates via the web interface can be used to add or delete credentials; monitor for unauthenticated configuration upload requests.
  • ·The vulnerability is exploitable only when the web management interface is enabled; it is enabled via both HTTP and HTTPS by default, so all unpatched devices with default config are exposed.
  • ·Only Cisco Small Business 220 Series Smart Switches running firmware versions prior to 1.1.4.4 are affected; devices on 1.1.4.4 or later are not vulnerable.
  • ·There are no workarounds available for this vulnerability; patching to the fixed firmware is the only mitigation.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_cisco9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.