CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:C/I:N/A:N
EPSS
Percentile
66.1%
A vulnerability in the vty authentication of Cisco IOS XE Software (03.02.xxSE and 03.03.xxSE only) could allow an unauthenticated, remote attacker to access an affected device without authentication and perform actions on the device with the privileges configured for the vty line interface.
The vulnerability is due to incomplete validations of the Linux-IOS Internal Network interface. An unauthenticated, remote attacker could exploit this vulnerability only if their source address is in the 192.168.x.2 subnet and the attacker has IP communication to the Cisco IOS XE device. An exploit could allow the attacker to access the device with the privilege level of the vty line interface.
Cisco has confirmed the vulnerability in a security notice and released software updates.
To exploit this vulnerability, it is likely that an attacker would need access to trusted, internal networks in order to communicate with the targeted device. This access requirement limits the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | cisco_ios | 3.2se | cpe:2.3:o:cisco:cisco_ios:3.2se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.3se | cpe:2.3:o:cisco:cisco_ios:3.3se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.2.0se | cpe:2.3:o:cisco:cisco_ios:3.2.0se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.2.1se | cpe:2.3:o:cisco:cisco_ios:3.2.1se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.2.2se | cpe:2.3:o:cisco:cisco_ios:3.2.2se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.2.3se | cpe:2.3:o:cisco:cisco_ios:3.2.3se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.3.0se | cpe:2.3:o:cisco:cisco_ios:3.3.0se:xe:*:*:*:*:*:* |
cisco | cisco_ios | 3.3.1se | cpe:2.3:o:cisco:cisco_ios:3.3.1se:xe:*:*:*:*:*:* |