CVE-2017-3881

CRITICAL KEV NUCLEI

Cisco - RCE

Title source: llm

Description

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.

Exploits (9)

exploitdb WORKING POC

by Artem Kondratenko · pythonremotehardware

https://www.exploit-db.com/exploits/41872

View Code ZIP pw:eip

exploitdb WORKING POC

by Artem Kondratenko · pythonremotehardware

https://www.exploit-db.com/exploits/42122

View Code ZIP pw:eip

nomisec WORKING POC 211 stars

by artkond · remote

https://github.com/artkond/cisco-rce

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by 1337g · remote

https://github.com/1337g/CVE-2017-3881

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by homjxi0e · dos

https://github.com/homjxi0e/CVE-2017-3881-exploit-cisco-

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by mzakyz666 · remote

https://github.com/mzakyz666/PoC-CVE-2017-3881

View Code ZIP pw:eip

nomisec WORKING POC

by homjxi0e · remote-auth

https://github.com/homjxi0e/CVE-2017-3881-Cisco

View Code ZIP pw:eip

vulncheck_xdb WORKING POC

remote

https://github.com/threat9/routersploit

View Code ZIP pw:eip

metasploit WORKING POC

by Artem Kondratenko · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb

View Code ZIP pw:eip

Nuclei Templates (1)

Cisco IOS 12.2(55)SE11 - Remote Code Execution

CRITICALby dwisiswant0

Shodan: product:"cisco ios http config" || cpe:"cpe:2.3:o:cisco:ios"

References (7)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96960

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97391

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038059

[Vendor Advisory] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41872/

[Broken Link] https://www.exploit-db.com/exploits/41874/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3881

Scores

CVSS v3 9.8

EPSS 0.9428

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-25

VulnCheck KEV 2017-03-17

InTheWild.io 2017-03-17

ENISA EUVD EUVD-2017-12998

CWE

CWE-20

Status published

Products (3)

cisco/ios 12.2s - 15.1\(3\)svs

cisco/ios_xe 3.2sg - 3.9e

n/a/Cisco IOS and IOS XE Software Cisco IOS and IOS XE Software

Published Mar 17, 2017

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026