Improper access control in Cisco IOS XE - CVE-2020-3222
Published: June 4, 2020
Vulnerability identifier: #VU28562
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3222
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS XE
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the presence of a proxy service at a specific endpoint of the web UI. A remote attacker on the local network can connect to the proxy service and bypass access restrictions on the network by proxying their access request through the management network of the affected device.
This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software:
- Cisco Catalyst 3850 Series Switches
- Cisco Catalyst 3650 Series Switches
- Cisco Catalyst 9300 Series Switches
- Cisco Catalyst 9500 Series Switches
- Cisco Catalyst 9200 Series Switches
How to mitigate CVE-2020-3222
Install updates from vendor's website.