CVE-2021-1432 HIGH

CVE-2021-1432: Cisco IOS XE SD-WAN Software Arbitrary Command Execution Vulnerability

Vendor Cisco

Product Cisco IOS XE Software

Weakness CWE-20 · Input validation

Published March 24, 2021

Last update November 8, 2024

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the root user. The attacker must be authenticated on the affected device as a low-privileged user to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting arbitrary commands to a file as a lower-privileged user. The commands are then executed on the device by the root user. A successful exploit could allow the attacker to execute arbitrary commands as the root user.

Key dates

02Disclosure timeline

March 24, 2021 CVE published

November 8, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-1432 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2021-1432: Cisco IOS XE SD-WAN Software Arbitrary Command Execution Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE