CVE-2019-1971
CRITICALCisco Enterprise NFV Infrastructure Software 3.6.2-3.8.1 - Unauthenticated Remote Code Execution via Web Portal Input
Title source: llmDescription
A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to perform a command injection attack and execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation by the web portal framework. An attacker could exploit this vulnerability by providing malicious input during web portal authentication. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-commandinj
Scores
CVSS v3
9.8
EPSS
0.0358
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-78
Status
published
Products (1)
cisco/enterprise_network_function_virtualization_infrastructure
3.6.2 - 3.8.1
Published
Aug 08, 2019
Tracked Since
Feb 18, 2026