8.5
CVSSv2

CVE-2019-16012

Published: 19/03/2020 Updated: 23/03/2020
CVSS v2 Base Score: 8.5 | Impact Score: 9.2 | Exploitability Score: 8
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:N

Vulnerability Summary

A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote malicious user to conduct SQL injection attacks on an affected system. The vulnerability exists because the web UI improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the malicious user to modify values on, or return values from, the underlying database as well as the operating system.

Vulnerability Trend

Affected Products

Vendor Product Versions
CiscoSd-wan Firmware16.12.1b, 16.12.1d, 16.12.1e, 16.12.2r, 17.2.0, 18.3.0, 18.4.0, 18.4.1, 19.1.0, 19.2.0, 19.2.1

Vendor Advisories

A vulnerability in the web UI of Cisco SD-WAN Solution vManage software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system The vulnerability exists because the web UI improperly validates SQL values An attacker could exploit this vulnerability by authenticating to the application and sending malic ...

Recent Articles

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them
The Register • Shaun Nichols in San Francisco • 19 Mar 2020

Switchzilla says remote networking gear has a grab-bag of holes

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.
Switchzilla says the SD-WAN code is host to five vulnerabilities ranging from privilege escalation to remote code injection. The five CVE-listed bugs (CVE-2020-3264, CVE-2020-3265, CVE-2020-3266, CVE-2019-16010, CVE-2019-16012) are down to what Cisco calls "insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.
"An attacker could expl...