Incorrect Privilege Assignment in Cisco Systems, Inc products - CVE-2022-20681
Published: April 14, 2022
Vulnerability identifier: #VU62324
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-20681
CWE-ID: CWE-266
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Catalyst 9300 Series Switches
Catalyst 9400 Series Switches
Catalyst 9500 Series Switches
Catalyst 9800 Embedded Wireless Controller
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controller on Catalyst Access Points
Cisco IOS XE
Catalyst 9300 Series Switches
Catalyst 9400 Series Switches
Catalyst 9500 Series Switches
Catalyst 9800 Embedded Wireless Controller
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controller on Catalyst Access Points
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user privileges after the user executes certain CLI commands. A local user can execute arbitrary commands with level 15 privileges on the target device.
How to mitigate CVE-2022-20681
Install updates from vendor's website.