RCE in Cisco 1000_integrated_services_router
CVE-2022-20851
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.009 (54.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N.
Affected products
- Cisco 1000_integrated_services_router
- Cisco 1100-4g_integrated_services_router
- Cisco 1100-4p_integrated_services_router
- Cisco 1100-6g_integrated_services_router
- Cisco 1100-8p_integrated_services_router
- Cisco 1100_integrated_services_router
- Cisco 1101-4p_integrated_services_router
- Cisco 1101_integrated_services_router
- Cisco 1109-2p_integrated_services_router
- Cisco 1109-4p_integrated_services_router
Weakness classification (CWE)
Public proof-of-concept exploits
References
- psirt@cisco.com (x_refsource_CISCO, vendor-advisory, Vendor Advisory)
Frequently asked questions
- What is CVE-2022-20851?
- CVE-2022-20851 is a medium-severity vulnerability in Cisco 1000_integrated_services_router, classified under Command Injection. CVSS score: 5.5/10. Published 2022-09-30.
- How severe is CVE-2022-20851?
- Medium severity. CVSS v3 base score is 5.5 out of 10.
- Is CVE-2022-20851 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.