cbcvebase.
CVE-2023-20102
published 2023-04-05

CVE-2023-20102: A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.00%
58.6th percentile
A vulnerability in the web-based management interface of Cisco Secure Network Analytics could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to insufficient sanitization of user-provided data that is parsed into system memory. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the administrator user.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscocisco_secure_network_analytics
ciscosecure_network_analytics<= 7.4.1
ciscosecure_network_analytics

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is a crafted HTTP request to the web-based management interface of Cisco Secure Network Analytics (SMC); monitor for anomalous or malformed HTTP requests targeting the management interface from authenticated sessions.
  • The vulnerability is rooted in deserialization of untrusted data (CWE-502); inspect HTTP request bodies for serialized Java/object payloads directed at the Cisco Secure Network Analytics management interface.
  • Successful exploitation results in code execution as the administrator user on the underlying OS; alert on unexpected privileged process spawning from the Cisco Secure Network Analytics web service process.
  • ·Exploitation requires the attacker to be authenticated; prioritize detection of post-authentication anomalous activity and review for compromised credentials as a precursor.
  • ·No workarounds exist; the only mitigation is applying Cisco's released software updates. Unpatched devices remain fully exposed to authenticated RCE.
  • ·Tracked internally by Cisco as Bug ID CSCwc95889; use this identifier when cross-referencing Cisco TAC or internal patch management records.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_cisco8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.