cbcvebase.
CVE-2020-27131
published 2020-11-17

CVE-2020-27131: Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
87.72%
99.7th percentile
Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_security_manager
ciscosecurity_manager<= 4.22
ciscosecurity_manager_java_deserialization

Detection & IOCsextracted from sources · hover to see the quote

  • Detect malicious serialized Java objects sent to a specific listener on Cisco Security Manager; exploitation results in command execution as NT AUTHORITY\SYSTEM on the Windows host.
  • Monitor for inbound requests to Cisco Security Manager containing serialized Java object payloads (e.g., crafted with ysoserial/ysoserial.net); these are unauthenticated pre-auth exploitation attempts.
  • Track Cisco Bug IDs CSCvu99974 and CSCvv79824 for patch status and vendor-side detection guidance related to CVE-2020-27131.
  • ·No workarounds or mitigations exist for CVE-2020-27131; Cisco confirmed no workarounds address these vulnerabilities.
  • ·Public PoC code for all 12 vulnerabilities (including CVE-2020-27131) was released by researcher Florian Hauser on November 16, 2020, raising active exploitation risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.