Command Injection Vulnerability in Cisco Identity Services Engine (ISE)
CVE-2023-20170

6MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Identity Services Engine Software
Vendor: CVE Published:; 1 November 2023

Badges

👾 Exploit Exists

Summary

A vulnerability exists in Cisco Identity Services Engine that could allow an authenticated, local attacker to execute command injection attacks. This security flaw arises from insufficient input validation in the CLI commands, allowing an attacker with valid Administrator-level privileges to submit a specially crafted command. Exploiting this vulnerability could permit the attacker to elevate their privileges to root, thereby gaining unauthorized access to critical system components.

Affected Version(s)

Cisco Identity Services Engine Software

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Oct 23, 2024
Vulnerability published
Nov 1, 2023
Vulnerability Reserved
Oct 27, 2022