Cisco Addresses Command Injection Vulnerability with Public Exploit Code

September 4, 2024

Cisco has recently patched a significant command injection vulnerability that allows threat actors to escalate their privileges to root on systems that are vulnerable. This vulnerability, known as CVE-2024-20469, was found in Cisco's Identity Services Engine (ISE), a solution that provides network access control and policy enforcement based on identity. The ISE software is widely used for network device administration and endpoint access control in enterprise environments. The flaw is a result of insufficient validation of user input.

Local threat actors can exploit this vulnerability by submitting maliciously crafted command-line interface (CLI) commands. These attacks are of low complexity and do not require user interaction. However, as Cisco points out, successful exploitation of this flaw is only possible if the threat actors already possess Administrator privileges on systems that have not been patched.

"A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root," Cisco warned in its recent security advisory. It also stated, "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory."

To date, Cisco has not found any evidence of this security vulnerability being exploited in the wild. In addition to this, Cisco alerted its customers that it had eliminated a backdoor account in its Smart Licensing Utility Windows software. This backdoor could be used by attackers to log into systems that have not been patched, using administrative privileges.

In April, Cisco released security patches for another vulnerability in its Integrated Management Controller (IMC), known as CVE-2024-20295. The exploit code for this vulnerability, which is publicly available, also allows local attackers to escalate their privileges to root. Cisco also patched a critical flaw (CVE-2024-20401) last month, which could allow threat actors to add rogue root users and permanently disable Security Email Gateway (SEG) appliances through malicious emails. The same week, Cisco warned about a maximum-severity vulnerability that could allow attackers to change any user password on vulnerable Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including those of administrators.

Related News

• Critical Vulnerability in Cisco's Security Email Gateway Patched
• Cisco Reveals High-Severity IMC Vulnerability with Available Public Exploit Code

Latest News

• SonicWall SSLVPN Vulnerability Exploited in Cyber Attacks: Urgent Call for Patching
• Critical Remote Code Execution Vulnerability Detected in Veeam Backup & Replication Software
• Cisco Addresses Backdoor Admin Account in Smart Licensing Utility
• Cisco Merchandise Store Compromised by Hackers Using Malicious JavaScript
• Google Addresses Actively Exploited Android Flaw: Releases Monthly Security Update