Main Vulnerability Database Vulnerabilities #VU28759

Command Injection in Cisco IOS XE - CVE-2020-3212

Published: June 5, 2020

Vulnerability identifier: #VU28759

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-3212

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco IOS XE

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input sanitization in the web UI. A remote administrator can uplnout a specially crafted file and execute arbitrary commands on the target system.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software:

Cisco Catalyst 3850 Series Switches
Cisco Catalyst 3650 Series Switches
Cisco Catalyst 9300 Series Switches
Cisco Catalyst 9500 Series Switches
Cisco Catalyst 9200 Series Switches

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj3-44st5CcA

Command Injection in Cisco IOS XE - CVE-2020-3212

Description

Remediation

External links

Please verify you're human