Cisco UCS B-Series Vulnerability: Command Injection Attacks and Elevated Privileges

CVE-2024-20365

7.2HIGH

Key Information

Vendor: Cisco
Status: Cisco Unified Computing System (managed)
Vendor: CVE Published:; 2 October 2024

Badges

👾 Exploit Exists

Summary

A vulnerability in the Redfish API of Cisco UCS B-Series, Cisco UCS Managed C-Series, and Cisco UCS X-Series Servers could allow an authenticated, remote attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root.

This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending crafted commands through the Redfish API on an affected device. A successful exploit could allow the attacker to elevate privileges to root.

Affected Version(s)

Cisco Unified Computing System (Managed) = 4.1(2a)

Cisco Unified Computing System (Managed) = 4.1(2b)

Cisco Unified Computing System (Managed) = 4.1(3a)

Refferences

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 2, 2024
Vulnerability Reserved
Nov 8, 2023

Collectors

NVD DatabaseMitre Database