CVE-2021-1261

HIGH

Cisco SD-WAN Firmware - Authenticated Command Injection

Title source: llm

Description

Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device. For more information about these vulnerabilities, see the Details section of this advisory.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn

Scores

CVSS v3 7.8

EPSS 0.0128

EPSS Percentile 79.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-77

Status published

Products (10)

cisco/catalyst_sd-wan_manager

cisco/sd-wan_firmware 18.2.0

cisco/sd-wan_firmware 18.3.0

cisco/sd-wan_firmware 18.3.8

cisco/sd-wan_firmware 18.4.6

cisco/sd-wan_firmware 19.2.3

cisco/sd-wan_firmware 19.2.99

cisco/sd-wan_firmware 20.1.0

cisco/sd-wan_vbond_orchestrator

cisco/sd-wan_vsmart_controller_firmware

Published Jan 20, 2021

Tracked Since Feb 18, 2026