CVE-2019-1821

HIGH EXPLOITED NUCLEI

Cisco Prime Infrastructure/EPN Manager - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1821 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Metasploit, mr_me, k8gege, including a Metasploit module exploits/linux/http/cpi_tararchive_upload. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in Cisco Prime Infrastructure's TarArchive Java class to upload a JSP payload to the Apache Tomcat web apps directory, achieving unauthenticated remote code execution.

Description

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/47016

This Metasploit module exploits a directory traversal vulnerability in Cisco Prime Infrastructure's TarArchive Java class to upload a JSP payload to the Apache Tomcat web apps directory, achieving unauthenticated remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Prime Infrastructure 3.4.0.0
No auth needed
Prerequisites: Network access to the target system · Cisco Prime Infrastructure 3.4.0.0 running on port 8082 with SSL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by mr_me · pythonremotelinux
https://www.exploit-db.com/exploits/47686

This exploit leverages a directory traversal vulnerability in Cisco Prime Infrastructure's Health Monitor HA TarArchive feature to upload a malicious JSP file, achieving remote code execution. The JSP file establishes a reverse shell to the attacker's specified IP and port.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Prime Infrastructure (versions affected by CVE-2019-1821)
No auth needed
Prerequisites: Network access to the target's web interface · Target must be vulnerable to CVE-2019-1821
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 142 stars
by k8gege · remote
https://github.com/k8gege/CiscoExploit

The repository contains a functional Python exploit for CVE-2019-1821, which leverages a directory traversal vulnerability in Cisco Prime Infrastructure's Health Monitor HA TarArchive feature to achieve unauthenticated remote code execution. The exploit crafts a malicious tar archive containing a JSP payload, uploads it via the vulnerable endpoint, and establishes a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Prime Infrastructure
No auth needed
Prerequisites: Network access to the target · Target must be running a vulnerable version of Cisco Prime Infrastructure
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by FiveO · poc
https://gitlab.com/FiveO/CiscoExploit

The repository contains a functional Python exploit for CVE-2019-1821, which leverages a directory traversal vulnerability in Cisco Prime Infrastructure's Health Monitor HA TarArchive feature to achieve unauthenticated remote code execution. The exploit crafts a malicious tar archive containing a JSP payload, uploads it via an unauthenticated endpoint, and establishes a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Prime Infrastructure (versions affected by CVE-2019-1821)
No auth needed
Prerequisites: Network access to the target's UploadServlet endpoint (port 8082) · Target must be vulnerable to CVE-2019-1821
devstral-2 · analyzed Feb 23, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Steven Seeley, sinn3r · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/cpi_tararchive_upload.rb

This Metasploit module exploits a directory traversal vulnerability in Cisco Prime Infrastructure's TarArchive class to upload a malicious JSP file, achieving unauthenticated remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Prime Infrastructure 3.4.0.0
No auth needed
Prerequisites: Network access to the target · Cisco Prime Infrastructure 3.4.0.0 with exposed web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution
CRITICALby _0xf4n9x_
Shodan: http.title:"prime infrastructure"
FOFA: title="prime infrastructure"

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108339

Scores

CVSS v3 8.8
EPSS 0.9404
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-11-15
CWE
CWE-20
Status published
Products (3)
cisco/evolved_programmable_network_manager < 3.0.1
cisco/network_level_service 3.0\(0.0.83b\)
cisco/prime_infrastructure < 3.4.1
Published May 16, 2019
Tracked Since Feb 18, 2026