Command Injection in Cisco Systems, Inc products - CVE-2023-20097
Published: March 23, 2023
Vulnerability identifier: #VU73973
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-20097
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Wireless LAN Controller Software
6300 Series Embedded Services Access Points
Aironet 4800 Access Points
Catalyst IW6300 Heavy Duty Series Access Points
Cisco IOS XE
Cisco Aironet 1540 Series Access Points
Aironet 1560 Series Access Points
Aironet 1800 Series Access Points
Aironet 2800 Series Access Points
Aironet 3800 Series Access Points
Catalyst 9100 Access Points
Catalyst IW9165 Heavy Duty Series
Catalyst IW9165 Rugged Series
Catalyst IW9167 Heavy Duty Series
Integrated AP on 1100 Integrated Services Routers
Wireless LAN Controller Software
6300 Series Embedded Services Access Points
Aironet 4800 Access Points
Catalyst IW6300 Heavy Duty Series Access Points
Cisco IOS XE
Cisco Aironet 1540 Series Access Points
Aironet 1560 Series Access Points
Aironet 1800 Series Access Points
Aironet 2800 Series Access Points
Aironet 3800 Series Access Points
Catalyst 9100 Access Points
Catalyst IW9165 Heavy Duty Series
Catalyst IW9165 Rugged Series
Catalyst IW9167 Heavy Duty Series
Integrated AP on 1100 Integrated Services Routers
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation in Cisco access points (AP) software. A local administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.