CVE-2019-12671
HIGHCisco IOS XE - Authenticated Shell Access Bypass via Insufficient Consent Token Enforcement
Title source: llmDescription
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS). The vulnerability is due to insufficient enforcement of the consent token in authorizing shell access. An attacker could exploit this vulnerability by authenticating to the CLI and requesting shell access on an affected device. A successful exploit could allow the attacker to gain shell access on the affected device and execute commands on the underlying OS.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-ctbypass
Scores
CVSS v3
7.8
EPSS
0.0035
EPSS Percentile
26.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-285
CWE-863
Status
published
Products (1)
cisco/ios_xe
16.11.1 (2 CPE variants)
Published
Sep 25, 2019
Tracked Since
Feb 18, 2026