CVE-2018-0171

CRITICAL KEV NUCLEI

Cisco IOS - Remote Code Execution or Denial of Service via Smart Install Message

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-0171 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including embedi, AlrikRr. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Cisco Smart Install Client (CVE-2018-0171) by sending a crafted packet with a malicious payload. The PoC attempts to trigger a buffer overflow via a malformed TLV structure, potentially leading to remote code execution.

Description

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.

Exploits (2)

exploitdb WORKING POC
by embedi · pythondoshardware
https://www.exploit-db.com/exploits/44451

This exploit targets a buffer overflow vulnerability in Cisco Smart Install Client (CVE-2018-0171) by sending a crafted packet with a malicious payload. The PoC attempts to trigger a buffer overflow via a malformed TLV structure, potentially leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Cisco Smart Install Client (versions prior to fix)
No auth needed
Prerequisites: Network access to the target · Smart Install protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 18 stars
by AlrikRr · remote
https://github.com/AlrikRr/Cisco-Smart-Exploit

This Python script exploits CVE-2018-0171 in Cisco SmartInstall to extract the running-config file from vulnerable devices. It parses and decrypts sensitive information such as secret 7 hashes, plaintext passwords, and SNMP community strings.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Cisco SmartInstall (affected versions)
No auth needed
Prerequisites: Network access to TCP port 4786 on the target device · Python 3 with tftpy and c7decrypt installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cisco Smart Install - Configuration Download
CRITICALVERIFIEDby ritikchaddha,matejsmycka
Shodan: port:4786 "Smart Install"

References (7)

Core 7
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040580
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103538

Scores

CVSS v3 9.8
EPSS 0.9951
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2018-0994
CWE
CWE-20 CWE-787
Status published
Products (1)
cisco/ios 15.2\(5\)e
Published Mar 28, 2018
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026