CVE-2019-12648 CRITICAL

CVE-2019-12648: Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability

Vendor Cisco
Product Cisco IOS 15.7(3)M
Weakness CWE-284
Published September 25, 2019
Last update November 20, 2024

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user.

Key dates

02Disclosure timeline

September 25, 2019 CVE published
November 20, 2024 Record updated