CVE-2019-1914

HIGH

Cisco Sf-220-24 Firmware < 1.1.4.4 - Improper Input Validation

Title source: rule

Description

A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. To send the malicious request, the attacker needs a valid login session in the web management interface as a privilege level 15 user. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to execute arbitrary shell commands with the privileges of the root user.

Exploits (1)

exploitdb WORKING POC

by bashis · pythonremotehardware

https://www.exploit-db.com/exploits/47442

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190806-sb220-inject

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/154667/Realtek-Managed-Switch-Controller-RTL83xx-Stack-Overflow.html

Scores

CVSS v3 7.2

EPSS 0.0287

EPSS Percentile 86.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (11)

cisco/sf-220-24_firmware < 1.1.4.4

cisco/sf220-24p_firmware < 1.1.4.4

cisco/sf220-48_firmware < 1.1.4.4

cisco/sf220-48p_firmware < 1.1.4.4

cisco/sg220-26_firmware < 1.1.4.4

cisco/sg220-26p_firmware < 1.1.4.4

cisco/sg220-28_firmware < 1.1.4.4

cisco/sg220-28mp_firmware < 1.1.4.4

cisco/sg220-50_firmware < 1.1.4.4

cisco/sg220-50p_firmware < 1.1.4.4

... and 1 more

Published Aug 07, 2019

Tracked Since Feb 18, 2026