CVE-2024-20469OS Command Injection in Cisco Identity Services Engine Software

CWE-78OS Command Injection5 documents5 sources
Severity
6.7MEDIUMNVD
CNA6.0
EPSS
0.1%
top 68.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Identity Services Engine SoftwareCisco Identity Services Engine
Timeline
PublishedSep 4

Description

A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid Administrator privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDcisco/identity_services_engine3.2.0, 3.3.0+1

🔴Vulnerability Details

2
CVEList
Cisco Identity Services Engine Command Injection Vulnerability2024-09-04
GHSA
GHSA-g3fw-hx3v-rvcr: A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injec2024-09-04

📋Vendor Advisories

1
Cisco
Cisco Identity Services Engine Command Injection Vulnerability2024-09-04

🕵️Threat Intelligence

1
Bleepingcomputer
Cisco fixes root escalation vulnerability with public exploit code2024-09-04
CVE-2024-20469 — OS Command Injection in Cisco | cvebase