CVE-2022-20676 MEDIUM

CVE-2022-20676: Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability

Vendor Cisco
Product Cisco IOS XE Software
Weakness CWE-250
Published April 15, 2022
Last update September 16, 2024

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to root-level privileges. This vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. An attacker could exploit this vulnerability by loading malicious Tcl code on an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root. By default, Tcl shell access requires privilege level 15.

Key dates

02Disclosure timeline

April 15, 2022 CVE published
September 16, 2024 Record updated