CVE-2019-12672 MEDIUM

CVE-2019-12672: Cisco IOS XE Software Arbitrary Code Execution Vulnerability

Vendor Cisco
Product Cisco IOS XE Software 3.11.1S
Weakness CWE-59
Published September 25, 2019
Last update November 20, 2024

CVSS base score

6.2/10
Attack vector Physical
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient file location validation. An attacker could exploit this vulnerability by placing code in a specific format on a USB device and inserting it into an affected Cisco device. A successful exploit could allow the attacker to execute the code with root privileges on the underlying OS of the affected device.

Key dates

02Disclosure timeline

September 25, 2019 CVE published
November 20, 2024 Record updated