CVE-2022-20929

HIGH

Cisco Enterprise NFV Infrastructure Software 3.5.1-4.9.1 - Unauthenticated Cryptographic Signature Verification Bypass

Title source: llm

Description

A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload. This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system.

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-ISV-BQrvEv2h

Scores

CVSS v3 7.8

EPSS 0.0009

EPSS Percentile 24.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-347

Status published

Products (1)

cisco/enterprise_nfv_infrastructure_software 3.5.1 - 4.9.1

Published Mar 10, 2023

Tracked Since Feb 18, 2026