CVE-2019-1976

CRITICAL

Cisco Industrial Network Director < 1.6.0 - Unauthenticated Sensitive Information Exposure via Plug-and-Play Services

Title source: llm

Description

A vulnerability in the “plug-and-play” services component of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper access restrictions on the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to access running configuration information about devices managed by the IND, including administrative credentials.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-ind

Scores

CVSS v3 9.8

EPSS 0.0198

EPSS Percentile 78.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

cisco/industrial_network_director < 1.6.0

cisco/network_level_service 1.6\(0.369\)

Published Sep 05, 2019

Tracked Since Feb 18, 2026