CVE-2018-0433

HIGH

Cisco SD-WAN Solution < 18.3.0 - Authenticated OS Command Injection via CLI

Title source: llm

Description

A vulnerability in the command-line interface (CLI) in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105295

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-injection

Scores

CVSS v3 7.8

EPSS 0.0045

EPSS Percentile 35.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77 CWE-78

Status published

Products (8)

cisco/vbond_orchestrator

cisco/vedge_1000_firmware < 18.3.0

cisco/vedge_100_firmware < 18.3.0

cisco/vedge_2000_firmware < 18.3.0

cisco/vedge_5000_firmware < 18.3.0

cisco/vedge_cloud_router_platform

cisco/vmanage_network_management_system

cisco/vsmart_controller

Published Oct 05, 2018

Tracked Since Feb 18, 2026