CVE-2023-20016

MEDIUM

Cisco UCS/FXOS - Info Disclosure

Title source: llm

Description

A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could allow an unauthenticated attacker with access to a backup file to decrypt sensitive information stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method used for the backup function. An attacker could exploit this vulnerability by leveraging a static key used for the backup configuration feature. A successful exploit could allow the attacker to decrypt sensitive information that is stored in full state and configuration backup files, such as local user credentials, authentication server passwords, Simple Network Management Protocol (SNMP) community names, and other credentials.

References (1)

[Vendor Advisory] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsm-bkpsky-H8FCQgsA

Scores

CVSS v3 6.3

EPSS 0.0007

EPSS Percentile 21.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-321 CWE-330

Status published

Products (12)

cisco/fxos < 2.6.1

cisco/ucs_6200_firmware

cisco/ucs_6248up_firmware

cisco/ucs_6296up_firmware

cisco/ucs_6300_firmware

cisco/ucs_6324_firmware

cisco/ucs_6332-16up_firmware

cisco/ucs_6332_firmware

cisco/ucs_64108_firmware

cisco/ucs_6454_firmware

... and 2 more

Published Feb 23, 2023

Tracked Since Feb 18, 2026