Privilege Escalation in Cisco ISE's Embedded Service Router Affects System Security
CVE-2023-20193

6MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Identity Services Engine Software
Vendor
CVE Published:
7 September 2023

Badges

👾 Exploit Exists

Summary

A vulnerability exists in the Embedded Service Router (ESR) of Cisco Identity Services Engine (ISE) that may allow an authenticated local attacker to gain escalated privileges and manipulate files on the operating system. This issue arises from improper management of user privileges within the ESR console, enabling an attacker with valid Administrator access to send specially crafted requests to the device. If successfully exploited, this vulnerability could permit the attacker to read, write, or delete arbitrary files, thereby compromising the security and integrity of the affected system. The ESR feature must be enabled and licensed on the device, and users can confirm its status via the Admin GUI under Administration > Settings > Protocols > IPSec.

Affected Version(s)

Cisco Identity Services Engine Software 2.6.0

Cisco Identity Services Engine Software 2.6.0 p1

Cisco Identity Services Engine Software 2.6.0 p2

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.