CVE-2019-12649
MEDIUMCisco IOS XE - Authenticated Digital Signature Verification Bypass via Boot Process
Title source: llmDescription
A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability exists because, under certain circumstances, an affected device can be configured to not verify the digital signatures of system image files during the boot process. An attacker could exploit this vulnerability by abusing a specific feature that is part of the device boot process. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-digsig-bypass
Scores
CVSS v3
6.7
EPSS
0.0024
EPSS Percentile
14.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-347
Status
published
Products (2)
cisco/ios
16.9.1
cisco/ios_xe
16.8\(1\)
Published
Sep 25, 2019
Tracked Since
Feb 18, 2026