What is CVE-2023-20193?

CVE-2023-20193 is a vulnerability in the Embedded Service Router (ESR) of Cisco Identity Services Engine (ISE) that allows an authenticated local attacker to read, write, or delete arbitrary files on the underlying operating system and escalate their privileges to root.

How does CVE-2023-20193 impact Cisco ISE?

CVE-2023-20193 allows an authenticated local attacker to gain unauthorized access and perform unauthorized actions on the underlying operating system of Cisco ISE, potentially leading to a full compromise of the system.

What is the severity of CVE-2023-20193?

The severity of CVE-2023-20193 is medium, with a CVSS severity score of 6.

How can the CVE-2023-20193 vulnerability be exploited?

To exploit CVE-2023-20193, an attacker must have valid Administrator-level access and be able to authenticate locally.

Is there a fix available for CVE-2023-20193?

Yes, Cisco has released a security advisory with mitigation details and software updates to address the vulnerability. Please refer to the Cisco Security Advisory for more information.

Vulnerability/
CVE-2023-20193

medium

6.7

CWE

269 78

7/9/2023

25/1/2024

CVE-2023-20193: OS Command Injection

First published: Thu Sep 07 2023(Updated: )

A vulnerability in the Embedded Service Router (ESR) of Cisco ISE could allow an authenticated, local attacker to read, write, or delete arbitrary files on the underlying operating system and escalate their privileges to root. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This vulnerability is due to improper privilege management in the ESR console. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to elevate their privileges to root and read, write, or delete arbitrary files from the underlying operating system of the affected device. Note: The ESR is not enabled by default and must be licensed. To verify the status of the ESR in the Admin GUI, choose Administration > Settings > Protocols > IPSec.

Credit: ykramarz@cisco.com ykramarz@cisco.com

Affected Software	Affected Version	How to fix
Cisco Identity Services Engine	<=2.7
Cisco Identity Services Engine	>=3.0<=3.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-20193?
CVE-2023-20193 is a vulnerability in the Embedded Service Router (ESR) of Cisco Identity Services Engine (ISE) that allows an authenticated local attacker to read, write, or delete arbitrary files on the underlying operating system and escalate their privileges to root.
How does CVE-2023-20193 impact Cisco ISE?
CVE-2023-20193 allows an authenticated local attacker to gain unauthorized access and perform unauthorized actions on the underlying operating system of Cisco ISE, potentially leading to a full compromise of the system.
What is the severity of CVE-2023-20193?
The severity of CVE-2023-20193 is medium, with a CVSS severity score of 6.
How can the CVE-2023-20193 vulnerability be exploited?
To exploit CVE-2023-20193, an attacker must have valid Administrator-level access and be able to authenticate locally.
Is there a fix available for CVE-2023-20193?
Yes, Cisco has released a security advisory with mitigation details and software updates to address the vulnerability. Please refer to the Cisco Security Advisory for more information.

collector/nvd-index
agent/author
agent/type
agent/softwarecombine
collector/the-register
source/The Register
alias/CVE-2024-20674
alias/CVE-2024-20700
alias/CVE-2023-49583
alias/CVE-2023-50422
alias/CVE-2023-20193
alias/CVE-2023-20194
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/weakness
agent/tags
agent/first-publish-date
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup
vendor/cisco
canonical/cisco identity services engine
version/cisco identity services engine/2.7
version/cisco identity services engine/3.0
version/cisco identity services engine/3.3