CVE-2021-1356

MEDIUM

Cisco IOS XE - Authenticated Denial of Service via Web UI Error Handling

Title source: llm

Description

Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attacker could exploit these vulnerabilities by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause the web UI software to become unresponsive and consume all available vty lines, preventing new session establishment and resulting in a DoS condition. Manual intervention would be required to regain web UI and vty session functionality. Note: These vulnerabilities do not affect the console connection.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xe-webui-dos-z9yqYQAn

Scores

CVSS v3 4.3

EPSS 0.0011

EPSS Percentile 28.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-755 CWE-20

Status published

Products (13)

cisco/ios_xe 3.15.1xbs

cisco/ios_xe 3.15.2xbs

cisco/ios_xe 17.1.1

cisco/ios_xe 17.1.1a

cisco/ios_xe 17.1.1s

cisco/ios_xe 17.1.1t

cisco/ios_xe 17.1.2

cisco/ios_xe 17.2.1

cisco/ios_xe 17.2.1a

cisco/ios_xe 17.2.1r

... and 3 more

Published Mar 24, 2021

Tracked Since Feb 18, 2026