Privilege escalation in Cisco IOS XE - CVE-2017-12230
Published: September 27, 2017 / Updated: September 28, 2017
Vulnerability identifier: #VU8615
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-12230
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS XE
Detailed vulnerability description
The vulnerability allows a remote attacker to escalate privileges on the device.
The vulnerability exists due to incorrect default permission settings for new users who are created by using the web UI of the affected software. A remote authenticated attacker can create a new user account with elevated privileges and gain unauthorized access to the affected device.
The vulnerability exists due to incorrect default permission settings for new users who are created by using the web UI of the affected software. A remote authenticated attacker can create a new user account with elevated privileges and gain unauthorized access to the affected device.
How to mitigate CVE-2017-12230
Update to version 16.2(1.9).