CVE-2017-6606

MEDIUM

Cisco Ios XE - OS Command Injection

Title source: rule

Description

A vulnerability in a startup script of Cisco IOS XE Software could allow an unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the underlying operating system with the privileges of the root user. More Information: CSCuz06639 CSCuz42122. Known Affected Releases: 15.6(1.1)S 16.1.2 16.2.0 15.2(1)E. Known Fixed Releases: Denali-16.1.3 16.2(1.8) 16.1(2.61) 15.6(2)SP 15.6(2)S1 15.6(1)S2 15.5(3)S3a 15.5(3)S3 15.5(2)S4 15.5(1)S4 15.4(3)S6a 15.4(3)S6 15.3(3)S8a 15.3(3)S8 15.2(5)E 15.2(4)E3 15.2(3)E5 15.0(2)SQD3 15.0(1.9.2)SQD3 3.9(0)E.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97434

[Vendor Advisory] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-iosxe

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038190

Scores

CVSS v3 6.4

EPSS 0.0016

EPSS Percentile 36.8%

Attack Vector PHYSICAL

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (50)

cisco/ios_xe

... and 35 more

Timeline

Published Apr 07, 2017

Tracked Since Feb 18, 2026