1. Home
  2. CVE Database
  3. CVE-2022-20855
HIGH · 7.9

CVE-2022-20855

A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an authenticated, local attacker to escape the restri...

Vulnerability Description

A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an authenticated, local attacker to escape the restricted controller shell and execute arbitrary commands on the underlying operating system of the access point. This vulnerability is due to improper checks throughout the restart of certain system processes. An attacker could exploit this vulnerability by logging on to an affected device and executing certain CLI commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root. To successfully exploit this vulnerability, an attacker would need valid credentials for a privilege level 15 user of the wireless controller.

CVSS Score

7.9

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
CiscoIos Xe17.6.1
CiscoCatalyst 9105-
CiscoCatalyst 9105Axi-
CiscoCatalyst 9105Axw-
CiscoCatalyst 9115-
CiscoCatalyst 9115 Ap-
CiscoCatalyst 9115Axe-
CiscoCatalyst 9115Axi-
CiscoCatalyst 9117-
CiscoCatalyst 9117 Ap-
CiscoCatalyst 9117Axi-
CiscoCatalyst 9120-
CiscoCatalyst 9120 Ap-
CiscoCatalyst 9120Axe-
CiscoCatalyst 9120Axi-
CiscoCatalyst 9120Axp-
CiscoCatalyst 9124-
CiscoCatalyst 9124Axd-
CiscoCatalyst 9124Axi-
CiscoCatalyst 9130-

Related Weaknesses (CWE)

CWE-266CWE-78

References

FAQ

What is CVE-2022-20855?

CVE-2022-20855 is a vulnerability with a CVSS score of 7.9 (HIGH). A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an authenticated, local attacker to escape the restri...

How severe is CVE-2022-20855?

CVE-2022-20855 has been rated HIGH with a CVSS base score of 7.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-20855?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios Xe, Cisco Catalyst 9105, Cisco Catalyst 9105Axi, Cisco Catalyst 9105Axw, Cisco Catalyst 9115.