CVE-2022-20855 — Incorrect Privilege Assignment in Cisco IOS XE Software

CWE-266 — Incorrect Privilege Assignment CWE-78 — OS Command Injection4 documents4 sources

Severity

6.7MEDIUMNVD

CNA7.9

EPSS

0.2%

top 58.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS XE Software Cisco IOS XE

Timeline

PublishedSep 30

Latest updateOct 1

Description

A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an authenticated, local attacker to escape the restricted controller shell and execute arbitrary commands on the underlying operating system of the access point. This vulnerability is due to improper checks throughout the restart of certain system processes. An attacker could exploit this vulnerability by logging on to an affected device and executing…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5cisco/cisco_ios_xe_softwaren/a

▶NVDcisco/ios_xe17.6.1

🔴Vulnerability Details

GHSA

GHSA-mxx7-xwrv-x9hr: A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an↗2022-10-01

▶

CVEList

Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points Privilege Escalation Vulnerability↗2022-09-30

▶

📋Vendor Advisories

Cisco

Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points Privilege Escalation Vulnerability↗2022-09-28

▶