CVE-2022-20851 — Vulnetix

CVE-2022-20851 PUBLISHED CVSS 5.5 MEDIUM

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To exploit this vulnerability, an attacker must have valid Administrator privileges on the affected device.

EPSS 0.20% · 41.7th percentile

Risk Scores

CVSS 3.1

5.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

EPSS Score

0.20%

41.7th percentile

Affected Products

Vendor	Product	Versions
cisco	ios_xe	17.6.1
Cisco	Cisco IOS XE Software	n/a

Exploit Intelligence

20220928 Cisco IOS XE Software Web UI Command Injection Vulnerability (circl)

Timeline

Sep 30, 2022 CVE Published
Oct 1, 2022 EPSS Score
Nov 14, 2022 EPSS Score
Dec 29, 2022 EPSS Score
Feb 11, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 11, 2023 EPSS Score
Jun 24, 2023 EPSS Score
Aug 8, 2023 EPSS Score
Sep 21, 2023 EPSS Score
Nov 4, 2023 EPSS Score

References

20220928 Cisco IOS XE Software Web UI Command Injection Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-20851 advisory

Open in Interactive Console →