CiscoCISCO-SA-20150826-CVE-2015-6265Cisco ACE 4710 and ACE30 Application Control Engine CLI Privilege Escalation Vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
26.0%
A vulnerability in the command-line interface (CLI) of Cisco Application Control Engine (ACE) could allow an authenticated, local attacker to elevate privileges to read and alter the content of files that belong to other contexts.
The vulnerability is due to insufficient file access controls. An attacker could exploit this vulnerability by crafting a malicious file, copying it to the ACE, and using the file as input for a specific CLI command.
Cisco has confirmed the vulnerability; however, software updates are not available.
To exploit this vulnerability, an attacker must authenticate to the targeted device and have local network access. These access requirements may reduce the likelihood of a successful exploit.
Cisco would like to thank Jens Krabbenhoeft of Rauscher networX for reporting this vulnerability.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | ace_4700_series_application_control_engine_appliance | any | cpe:2.3:h:cisco:ace_4700_series_application_control_engine_appliance:any:*:*:*:*:*:*:* |
| cisco | ace_4710 | 4700_series_application_control_engine_appliances | cpe:2.3:h:cisco:ace_4710:4700_series_application_control_engine_appliances:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
26.0%