CVE-2020-3266: Cisco SD-WAN Solution Command Injection Vulnerability
First published: Thu Mar 19 2020(Updated: )
A vulnerability in the CLI of Cisco SD-WAN Solution software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco SD-WAN firmware | <19.2.2 | |
| Cisco 1100-4g Integrated Services Router | ||
| Cisco 1100-4gltegb Integrated Services Router | ||
| Cisco 1100-4gltena Integrated Services Router | ||
| Cisco 1100-6g Integrated Services Router | ||
| Cisco vEdge 100 | ||
| Cisco vEdge 1000 | ||
| Cisco vedge 100b | ||
| Cisco vEdge 100m | ||
| Cisco vEdge 100wm | ||
| Cisco vEdge 2000 | ||
| Cisco vEdge 5000 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-3266?
CVE-2020-3266 is a vulnerability in the CLI of Cisco SD-WAN Solution software that allows an authenticated local attacker to execute arbitrary commands with root privileges.
How does CVE-2020-3266 affect Cisco SD-WAN Solution software?
CVE-2020-3266 affects Cisco SD-WAN Solution software versions up to and including 19.2.2.
What is the severity of CVE-2020-3266?
CVE-2020-3266 has a severity rating of 7.8 (high).
How can an attacker exploit CVE-2020-3266?
An attacker can exploit CVE-2020-3266 by authenticating to the affected device's CLI and injecting arbitrary commands.
Is there a fix available for CVE-2020-3266?
Yes, Cisco has released a security advisory with information on how to mitigate CVE-2020-3266. Please refer to the advisory for more details.
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/title
- agent/description
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco sd-wan firmware
- canonical/cisco 1100-4g integrated services router
- canonical/cisco 1100-4gltegb integrated services router
- canonical/cisco 1100-4gltena integrated services router
- canonical/cisco 1100-6g integrated services router
- canonical/cisco vedge 100
- canonical/cisco vedge 1000
- canonical/cisco vedge 100b
- canonical/cisco vedge 100m
- canonical/cisco vedge 100wm
- canonical/cisco vedge 2000
- canonical/cisco vedge 5000