CVE-2020-3229
HIGHCisco IOS XE Web Management Software - Privilege Escalation
Title source: llmDescription
A vulnerability in Role Based Access Control (RBAC) functionality of Cisco IOS XE Web Management Software could allow a Read-Only authenticated, remote attacker to execute commands or configuration changes as an Admin user. The vulnerability is due to incorrect handling of RBAC for the administration GUI. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a Read-Only user to execute CLI commands or configuration changes as if they were an Admin user.
References (1)
Core 1
Core References
Patch, Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-PZgQxjfG
Scores
CVSS v3
8.8
EPSS
0.0075
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-264
CWE-863
Status
published
Products (50)
cisco/ios_xe
16.2.2
cisco/ios_xe
16.3.1
cisco/ios_xe
16.3.1a
cisco/ios_xe
16.3.2
cisco/ios_xe
16.3.3
cisco/ios_xe
16.3.4
cisco/ios_xe
16.3.5
cisco/ios_xe
16.3.5b
cisco/ios_xe
16.3.6
cisco/ios_xe
16.3.7
... and 40 more
Published
Jun 03, 2020
Tracked Since
Feb 18, 2026