CVE-2021-34724

CWE-284 — Improper Access Control4 documents4 sources

Severity

6.0MEDIUM

EPSS

0.1%

top 68.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE Sd-wan Cisco Cisco IOS XE Sd-wan Software

Timeline

PublishedSep 23

Latest updateMay 24

Description

A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code on the underlying operating system as the root user. An attacker must be authenticated on an affected device as a PRIV15 user. This vulnerability is due to insufficient file system protection and the presence of a sensitive file in the bootflash directory on an affected device. An attacker could exploit this vulnerability by overwriting an installe…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xe_sd-wan_softwaren/a

▶NVDcisco/ios_xe_sd-wan17.3.1a

🔴Vulnerability Details

GHSA

GHSA-3jmx-8q3h-p8gc: A vulnerability in the Cisco IOS XE SD-WAN Software CLI could allow an authenticated, local attacker to elevate privileges and execute arbitrary code↗2022-05-24

▶

CVEList

Cisco IOS XE SD-WAN Software Privilege Escalation Vulnerability↗2021-09-23

▶

📋Vendor Advisories

Cisco

Cisco IOS XE SD-WAN Software Privilege Escalation Vulnerability↗2021-09-22

▶