Description
An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. One example is the "sudo ln -s /tmp/script /etc/cron.hourly/script" command.
Scores
CVSS v3
7.8
EPSS
0.0005
EPSS Percentile
15.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1188
Status
published
Products (1)
cerner/connectivity_engine_4_firmware
< 201812
Published
Apr 25, 2019
Tracked Since
Feb 18, 2026