Incorrect Privilege Assignment in Cisco Systems, Inc products - CVE-2022-20681
Published: April 14, 2022
Vulnerability identifier: #VU62324
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-20681
CWE-ID: CWE-266
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Catalyst 9300 Series Switches
Catalyst 9400 Series Switches
Catalyst 9500 Series Switches
Catalyst 9800 Embedded Wireless Controller
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controller on Catalyst Access Points
Cisco IOS XE
Catalyst 9300 Series Switches
Catalyst 9400 Series Switches
Catalyst 9500 Series Switches
Catalyst 9800 Embedded Wireless Controller
Catalyst 9800 Series Wireless Controllers
Catalyst 9800-CL Wireless Controllers for Cloud
Embedded Wireless Controller on Catalyst Access Points
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user privileges after the user executes certain CLI commands. A local user can execute arbitrary commands with level 15 privileges on the target device.
Remediation
Install updates from vendor's website.