CVE-2019-1862
A vulnerability in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the Web UI and then submitting that form. A successful exploit could allow the attacker to run arbitrary commands on the device with root privileges, which may lead to complete system compromise.
EPSS 0.52% · 67.3th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cisco | ios_xe | 16.3.7 |
| Cisco | Cisco IOS XE Software | 3.2.0JA |
Exploit Intelligence
- CIRCL seen: CVE-2019-1862 (circl-sighting)
- 20190513 Cisco IOS XE Software Web UI Command Injection Vulnerability (circl)
- VU#400865 (circl)
- 108331 (circl)
Timeline
- May 13, 2019 CVE Published
- May 14, 2019 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- http://www.securityfocus.com/bid/108331 url
- 20190513 Cisco IOS XE Software Web UI Command Injection Vulnerability vendor-advisory
- VU#400865 third-party-advisory
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot advisory
- https://nvd.nist.gov/vuln/detail/CVE-2019-1862 advisory