Command Injection Vulnerability in Cisco ISE Products
CVE-2023-20175

8.8HIGH

Key Information:

Vendor: Cisco
Status: Cisco Identity Services Engine Software
Vendor: CVE Published:; 1 November 2023

Badges

👾 Exploit Exists

Summary

A command injection vulnerability exists in specific Cisco ISE CLI commands that may allow an authenticated attacker to execute arbitrary commands on the underlying operating system, potentially gaining root privileges. This security flaw arises from inadequate validation of user-supplied input. To successfully exploit this vulnerability, an attacker must possess valid Read-only-level privileges or higher on the affected device and can achieve this through specially crafted CLI commands. If successful, the attacker could gain elevated rights, leading to significant security risks.

Affected Version(s)

Cisco Identity Services Engine Software 2.6.0

Cisco Identity Services Engine Software 2.6.0 p1

Cisco Identity Services Engine Software 2.6.0 p2

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

👾
Exploit known to exist
Oct 23, 2024
Vulnerability published
Nov 1, 2023
Vulnerability Reserved
Oct 27, 2022