CVE-2017-6619
HIGHCisco Integrated Management Controller 3.0(1c) - Authenticated Remote Code Execution via HTTP POST Request
Title source: llmDescription
A vulnerability in the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an authenticated, remote attacker to execute arbitrary commands on an affected system. The vulnerability exists because the affected software does not sufficiently sanitize user-supplied HTTP input. An attacker could exploit this vulnerability by sending an HTTP POST request that contains crafted, deserialized user data to the affected software. A successful exploit could allow the attacker to execute arbitrary commands with root-level privileges on the affected system, which the attacker could use to conduct further attacks. Cisco Bug IDs: CSCvd14591.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97925
Vendor Advisory x_refsource_confirm
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-cimc
Scores
CVSS v3
8.8
EPSS
0.0264
EPSS Percentile
83.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (2)
cisco/integrated_management_controller_supervisor
3.0\(1c\)
n/a/Cisco Integrated Management Controller
Cisco Integrated Management Controller
Published
Apr 20, 2017
Tracked Since
Feb 18, 2026