Command Injection in Cisco Systems, Inc products - CVE-2023-20097

 

Command Injection in Cisco Systems, Inc products - CVE-2023-20097

Published: March 23, 2023


Vulnerability identifier: #VU73973
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-20097
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Wireless LAN Controller Software
6300 Series Embedded Services Access Points
Aironet 4800 Access Points
Catalyst IW6300 Heavy Duty Series Access Points
Cisco IOS XE
Cisco Aironet 1540 Series Access Points
Aironet 1560 Series Access Points
Aironet 1800 Series Access Points
Aironet 2800 Series Access Points
Aironet 3800 Series Access Points
Catalyst 9100 Access Points
Catalyst IW9165 Heavy Duty Series
Catalyst IW9165 Rugged Series
Catalyst IW9167 Heavy Duty Series
Integrated AP on 1100 Integrated Services Routers

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in Cisco access points (AP) software. A local administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


How to mitigate CVE-2023-20097

Install updates from vendor's website.

Sources