Cisco IOS XE Software Web-Based Management Interface Command Injection Vulnerability

A command injection vulnerability has been identified in the web-based management interface of Cisco IOS XE Software. This vulnerability allows authenticated, low-privileged, remote attackers to perform injection attacks on affected devices. The issue arises from inadequate input validation, enabling attackers to send crafted input that could be exploited to read limited files from the underlying operating system or to clear the syslog and licensing logs on the device.

Impact

Exploitation of this vulnerability could lead to unauthorized file access on the operating system or the ability to clear important system logs, potentially obscuring other malicious activities.

Remediation

Cisco has released software updates to address this vulnerability. Instructions for upgrading can be found on the Cisco Security Advisories page. Disabling the HTTP Server feature also eliminates the attack vector for this vulnerability.