CVE-2020-3219 — Command Injection in Cisco IOS XE Software 16.1.1

CWE-77 — Command Injection CWE-20 — Improper Input Validation5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 35.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE Software 16.1.1 Cisco IOS XE

Timeline

PublishedJun 3

Latest updateOct 27

Description

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of user-supplied input to the web UI. An attacker could exploit this vulnerability by submitting crafted input to the web UI. A successful exploit could allow an attacker to execute arbitrary commands with administrat…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xe_software_16.1.1n/a

▶NVDcisco/ios_xe92 versions+91

Patches

Patch: tools.cisco.com ↗Patch: tools.cisco.com ↗

🔴Vulnerability Details

GHSA

GHSA-2hc6-pjqv-vf75: A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with adm↗2022-05-24

▶

CVEList

Cisco IOS XE Software Web UI Command Injection Vulnerability↗2020-06-03

▶

📋Vendor Advisories

CISA ICS

Rockwell Automation Stratix Devices Containing Cisco IOS↗2022-10-27

▶

Cisco

Cisco IOS XE Software Web UI Command Injection Vulnerability↗2020-06-03

▶