Cisco IND Vulnerability Allows Arbitrary Commands Execution with Admin Privileges

CVE-2023-20036

9.9CRITICAL

Key Information

Vendor: Cisco
Status: Cisco Industrial Network Director
Vendor: CVE Published:; 15 November 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Affected Version(s)

Cisco Industrial Network Director = 1.3.1

Cisco Industrial Network Director = 1.6.0

Cisco Industrial Network Director = 1.7.0

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Nov 15, 2024
Vulnerability Reserved.
Oct 27, 2022
👾
Exploit exists.
Jan 1, 1970

Collectors

NVD DatabaseMitre Database