#VU28761 Command Injection in Cisco IOS XE - CVE-2020-3207
Published: June 5, 2020
Vulnerability identifier: #VU28761
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3207
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to execute arbitrary commands on the system.
The vulnerability exists due to insufficient input validation checks while processing boot options. A local administrator can modify device boot options and execute arbitrary commands on the target system.
This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software:
- Catalyst 3650 Series Switches
- Catalyst 3850 Series Switches
- Catalyst 9200 Series Switches
- Catalyst 9300 Series Switches
- Catalyst 9500 Series Switches
Remediation
Install updates from vendor's website.