Cisco IND Vulnerability Allows Arbitrary Commands Execution with Admin Privileges
CVE-2023-20036

9.9CRITICAL

Key Information:

Vendor: Cisco
Status: Cisco Industrial Network Director
Vendor: CVE Published:; 15 November 2024

Summary

A vulnerability exists in the web UI of Cisco IND that enables an authenticated remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system. This issue arises from inadequate input validation when a Device Pack is uploaded. An attacker can exploit this vulnerability by manipulating the request sent during the Device Pack upload process. If successfully exploited, the attacker could execute arbitrary commands as NT AUTHORITY\SYSTEM, compromising the integrity and security of the affected device. Software updates are available from Cisco to mitigate this vulnerability, as no workarounds can sufficiently address the issue.

Affected Version(s)

Cisco Industrial Network Director 1.3.1

Cisco Industrial Network Director 1.6.0

Cisco Industrial Network Director 1.7.0

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Oct 27, 2022