What is CVE-2024-20295?

CVE-2024-20295 is a high-severity vulnerability in Cisco Unified Computing System E-series Software (Ucse), classified under OS Command Injection. CVSS score: 8.8/10. Published 2024-04-24.

How severe is CVE-2024-20295?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2024-20295 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Cisco Unified Computing System E-series Software (Ucse)

CVE-2024-20295

A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.006 (69.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Cisco Unified Computing System E-series Software (Ucse) — versions N/A
Cisco Unified Computing System (Standalone) — versions 3.0(1c), 3.0(1d), 3.0(2b)

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

cisco-sa-cimc-cmd-inj-mUx4c5AJ

Frequently asked questions

What is CVE-2024-20295?: CVE-2024-20295 is a high-severity vulnerability in Cisco Unified Computing System E-series Software (Ucse), classified under OS Command Injection. CVSS score: 8.8/10. Published 2024-04-24.
How severe is CVE-2024-20295?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2024-20295 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.