1. Home
  2. CVE Database
  3. CVE-2023-20036
CRITICAL · 9.9

CVE-2023-20036

A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected ...

Vulnerability Description

A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
CiscoIndustrial Network Director< 1.11.3

Related Weaknesses (CWE)

CWE-78

References

FAQ

What is CVE-2023-20036?

CVE-2023-20036 is a vulnerability with a CVSS score of 9.9 (CRITICAL). A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected ...

How severe is CVE-2023-20036?

CVE-2023-20036 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-20036?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Industrial Network Director.