CVE-2022-20864 MEDIUM

CVE-2022-20864: Cisco IOS XE ROM Monitor Software for Catalyst Switches Information Disclosure Vulnerability

Vendor Cisco
Product Cisco IOS XE Software
Weakness CWE-538
Published October 10, 2022
Last update November 1, 2024

CVSS base score

4.6/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in the password-recovery disable feature of Cisco IOS XE ROM Monitor (ROMMON) Software for Cisco Catalyst Switches could allow an unauthenticated, local attacker to recover the configuration or reset the enable password. This vulnerability is due to a problem with the file and boot variable permissions in ROMMON. An attacker could exploit this vulnerability by rebooting the switch into ROMMON and entering specific commands through the console. A successful exploit could allow the attacker to read any file or reset the enable password.

Key dates

02Disclosure timeline

October 10, 2022 CVE published
November 1, 2024 Record updated