Command Injection Vulnerability in Cisco Unified Computing System and Firepower Devices
CVE-2017-12243

7.8HIGH

Key Information:

Vendor
Cisco
Status
Cisco Ucs Manager, Cisco Firepower 4100 Series Ngfw, And Cisco Firepower 9300 Security Appliance
Vendor
CVE Published:
2 November 2017

Summary

A command injection vulnerability exists in Cisco Unified Computing System (UCS) Manager and Cisco Firepower devices, allowing authenticated local attackers to execute arbitrary commands. This flaw arises from inadequate validation of string inputs in the shell application. By crafting and sending malicious commands, an attacker can potentially gain root shell privileges on the affected devices, leading to unauthorized access and control over system functions.

Affected Version(s)

Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance

References

http://www.securityfocus.com/bid/101652
vdb-entryx_refsource_BID
https://tools.cisco.com/security/center/content/CiscoSecu...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1039719
vdb-entryx_refsource_SECTRACK

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.