Article Details

Cisco fixes root escalation vulnerability with public exploit code. Cisco has fixed a command injection vulnerability with public exploit code that lets attackers escalate privileges to root on vulnerable systems. Tracked as CVE-2024-20469, the security flaw was found in Cisco's Identity Services Engine (ISE) solution, an identity-based network access control and policy enforcement software that enables network device administration and endpoint access control in enterprise environments. This OS command injection vulnerability is caused by insufficient validation of user-supplied input. Local attackers can exploit this weakness by submitting maliciously crafted CLI commands in low-complexity attacks that don't require user interaction. However, as Cisco explains, threat actors can only exploit this flaw successfully if they already have Administrator privileges on unpatched systems. "A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root," the company warned in a security advisory published on Wednesday. "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory." So far, the company has yet to discover evidence of attackers exploiting this security vulnerability in the wild. Cisco also warned customers today that it removed a backdoor account in its Smart Licensing Utility Windows software that attackers can use to log into unpatched systems with administrative privileges. In April, it released security patches for an Integrated Management Controller (IMC) vulnerability (CVE-2024-20295) with publicly available exploit code that also allows local attackers to escalate privileges to root. Another critical flaw (CVE-2024-20401), which lets threat actors add rogue root users and permanently crash Security Email Gateway (SEG) appliances via malicious emails, was patched last month. The same week, it warned of a maximum-severity vulnerability that lets attackers change any user password on vulnerable Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators.