7.2
CVSSv2

CVE-2020-3266

Published: 19/03/2020 Updated: 23/03/2020
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local malicious user to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the malicious user to execute commands with root privileges.

Vulnerability Trend

Affected Products

Vendor Product Versions
CiscoSd-wan Firmware16.12.1b, 16.12.1d, 16.12.1e, 16.12.2r, 17.2.0, 18.3.0, 18.4.0, 18.4.1, 19.1.0, 19.2.0, 19.2.1

Vendor Advisories

A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges The vulnerability is due to insufficient input validation An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI ...

Recent Articles

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them
The Register • Shaun Nichols in San Francisco • 19 Mar 2020

Switchzilla says remote networking gear has a grab-bag of holes

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed.
Switchzilla says the SD-WAN code is host to five vulnerabilities ranging from privilege escalation to remote code injection. The five CVE-listed bugs (CVE-2020-3264, CVE-2020-3265, CVE-2020-3266, CVE-2019-16010, CVE-2019-16012) are down to what Cisco calls "insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.
"An attacker could expl...

Cisco Warns of High-Severity SD-WAN Flaws
Threatpost • Lindsey O'Donnell • 19 Mar 2020

Cisco Systems has fixed three high-severity vulnerabilities in its software-defined networking for wide-area network (SD-WAN) solutions for business users. If exploited, the flaws could enable bad actors to execute commands with root privileges on affected systems. To exploit the vulnerabilities attackers need to first be local and authenticated.
The three flaws are located in various Cisco hardware and software products running the company’s SD-WAN software earlier than Release 19.2.2 (...