CVE-2023-20036OS Command Injection in Cisco Industrial Network Director

CWE-78OS Command InjectionCWE-552Files or Directories Accessible to External Parties4 documents4 sources
Severity
9.9CRITICALNVD
EPSS
7.2%
top 8.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Industrial Network DirectorCisco Industrial Network Director
Timeline
PublishedNov 15

Description

A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SY

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

CVEListV5cisco/cisco_industrial_network_director20 versions+19

🔴Vulnerability Details

2
CVEList
Cisco Industrial Network Director Command Injection Vulnerability2024-11-15
GHSA
GHSA-c6cm-r234-phmq: A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges2024-11-15

📋Vendor Advisories

1
Cisco
Cisco Industrial Network Director Vulnerabilities2023-04-19
CVE-2023-20036 — OS Command Injection in Cisco | cvebase