CVE-2017-6606

MEDIUM

Cisco IOS XE - Unauthenticated OS Command Injection via Startup Script

Title source: llm
STIX 2.1

Description

A vulnerability in a startup script of Cisco IOS XE Software could allow an unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the underlying operating system with the privileges of the root user. More Information: CSCuz06639 CSCuz42122. Known Affected Releases: 15.6(1.1)S 16.1.2 16.2.0 15.2(1)E. Known Fixed Releases: Denali-16.1.3 16.2(1.8) 16.1(2.61) 15.6(2)SP 15.6(2)S1 15.6(1)S2 15.5(3)S3a 15.5(3)S3 15.5(2)S4 15.5(1)S4 15.4(3)S6a 15.4(3)S6 15.3(3)S8a 15.3(3)S8 15.2(5)E 15.2(4)E3 15.2(3)E5 15.0(2)SQD3 15.0(1.9.2)SQD3 3.9(0)E.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97434
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038190

Scores

CVSS v3 6.4
EPSS 0.0050
EPSS Percentile 39.2%
Attack Vector PHYSICAL
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (50)
cisco/ios_xe 3.1.0s
cisco/ios_xe 3.1.0sg
cisco/ios_xe 3.1.1s
cisco/ios_xe 3.1.1sg
cisco/ios_xe 3.1.2s
cisco/ios_xe 3.1.3s
cisco/ios_xe 3.1.4as
cisco/ios_xe 3.1.4s
cisco/ios_xe 3.2.0se
cisco/ios_xe 3.2.0sg
... and 40 more
Published Apr 07, 2017
Tracked Since Feb 18, 2026