⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2021-1435Path Traversal in Cisco IOS XE Software

CWE-22Path TraversalCWE-78OS Command Injection7 documents7 sources
Severity
7.2HIGHNVD
EPSS
0.3%
top 43.91%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 24
Latest updateOct 23

Description

A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that can be executed as the root user. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to the web UI of an affected device with arbitrary commands injected into a portion of the request. A successful exploit could allow the attacker to execute arbitrary commands as the root user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe36 versions+35

🔴Vulnerability Details

2
GHSA
GHSA-5rv2-fphg-fgcg: A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that can be executed2022-05-24
CVEList
Cisco IOS XE Software Web UI Command Injection Vulnerability2021-03-24

📋Vendor Advisories

2
CISA
Cisco IOS XE Web UI Command Injection Vulnerability2023-10-23
Cisco
Cisco IOS XE Software Web UI Command Injection Vulnerability2021-03-24
CVE-2021-1435 — Path Traversal in Cisco IOS XE Software | cvebase