CVE-2019-1756

HIGH

Cisco IOS XE - Authenticated Remote Code Execution via Web UI Username Input

Title source: llm
STIX 2.1

Description

A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107598

Scores

CVSS v3 7.2
EPSS 0.0377
EPSS Percentile 88.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (16)
cisco/ios 11.0\(20.3\)
cisco/ios 16.9\(1\)
cisco/ios_xe 3.2.0ja
cisco/ios_xe 16.7.1
cisco/ios_xe 16.7.1a
cisco/ios_xe 16.7.1b
cisco/ios_xe 16.7.2
cisco/ios_xe 16.7.3
cisco/ios_xe 16.8.1
cisco/ios_xe 16.8.1a
... and 6 more
Published Mar 28, 2019
Tracked Since Feb 18, 2026