CVE-2023-20064 MEDIUM

CVE-2023-20064: Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability

Vendor Cisco
Product Cisco IOS XR Software
Weakness CWE-862 · Missing authorization
Published March 9, 2023
Last update October 25, 2024
View on NVD All CVEs

CVSS base score

4.6/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the device to view sensitive files on the console using the GRUB bootloader command line. This vulnerability is due to the inclusion of unnecessary commands within the GRUB environment that allow sensitive files to be viewed. An attacker could exploit this vulnerability by being connected to the console port of the Cisco IOS XR device when the device is power-cycled. A successful exploit could allow the attacker to view sensitive files that could be used to conduct additional attacks against the device.

Key dates

02Disclosure timeline

March 9, 2023 CVE published
October 25, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-1026 WP Meta SEO <= 4.5.3 - Missing Authorization in 'listPostsCategory' CVE-2025-67582 WordPress Wbcom Designs plugin <= 2.1.1 - Broken Access Control vulnerability CVE-2026-3570 Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter CVE-2026-40778 WordPress Majestic Support plugin <= 1.1.2 - Broken Access Control vulnerability CVE-2025-48128 WordPress Sharespine Woocommerce Connector plugin <= 4.7.55 - Broken Access Control Vulnerability