CVE-2021-1441OS Command Injection in Cisco IOS XE Software

CWE-78OS Command Injection4 documents4 sources
Severity
6.7MEDIUMNVD
EPSS
0.1%
top 77.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMar 24
Latest updateMay 24

Description

A vulnerability in the hardware initialization routines of Cisco IOS XE Software for Cisco 1100 Series Industrial Integrated Services Routers and Cisco ESR6300 Embedded Series Routers could allow an authenticated, local attacker to execute unsigned code at system boot time. This vulnerability is due to incorrect validations of parameters passed to a diagnostic script that is executed when the device boots up. An attacker could exploit this vulnerability by tampering with an executable file store

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/ios_xe27 versions+26

🔴Vulnerability Details

2
GHSA
GHSA-75qr-v35g-mjqg: A vulnerability in the hardware initialization routines of Cisco IOS XE Software for Cisco 1100 Series Industrial Integrated Services Routers and Cisc2022-05-24
CVEList
Cisco IOS XE Software Hardware Initialization Routines Arbitrary Code Execution Vulnerability2021-03-24

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Hardware Initialization Routines Arbitrary Code Execution Vulnerability2021-03-24
CVE-2021-1441 — OS Command Injection in Cisco | cvebase