CVE-2020-3446
CRITICALCisco ENCS 5400-W and CSP 5000-W Series - Unauthenticated Remote Access via Default Credentials
Title source: llmDescription
A vulnerability in Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password. The vulnerability exists because the affected software has user accounts with default, static passwords. An attacker with access to the NFVIS CLI of an affected device could exploit this vulnerability by logging into the CLI. A successful exploit could allow the attacker to access the NFVIS CLI with administrator privileges.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-waas-encsw-cspw-cred-hZzL29A7
Scores
CVSS v3
9.8
EPSS
0.0164
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (10)
cisco/csp_5228-w_firmware
6.4\(1\)
cisco/csp_5228-w_firmware
6.4\(3d\)
cisco/csp_5436-w_firmware
6.4\(1\)
cisco/csp_5436-w_firmware
6.4\(3d\)
cisco/encs_5406-w_firmware
6.4\(1\)
cisco/encs_5406-w_firmware
6.4\(3d\)
cisco/encs_5408-w_firmware
6.4\(1\)
cisco/encs_5408-w_firmware
6.4\(3d\)
cisco/encs_5412-w_firmware
6.4\(1\)
cisco/encs_5412-w_firmware
6.4\(3d\)
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026