CVE-2020-3218 — Improper Input Validation in Cisco IOS XE Software 16.6.1

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.2HIGHNVD

EPSS

1.3%

top 20.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE Software 16.6.1 Cisco IOS XE

Timeline

PublishedJun 3

Latest updateOct 27

Description

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code with root privileges on the underlying Linux shell. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by first creating a malicious file on the affected device itself and then uploading a second malicious file to the device. A successful exploit could allow the attacker to e…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xe_software_16.6.1n/a

▶NVDcisco/ios_xe58 versions+57

Patches

Patch: tools.cisco.com ↗Patch: tools.cisco.com ↗

🔴Vulnerability Details

GHSA

GHSA-2vmg-wrjc-c333: A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to execute arbitra↗2022-05-24

▶

CVEList

Cisco IOS XE Software Web UI Remote Code Execution Vulnerability↗2020-06-03

▶

📋Vendor Advisories

CISA ICS

Rockwell Automation Stratix Devices Containing Cisco IOS↗2022-10-27

▶

Cisco

Cisco IOS XE Software Web UI Remote Code Execution Vulnerability↗2020-06-03

▶