← Back

CVE-2024-20469

nvd nist
Published: Sep 4, 2024Modified: Sep 25, 2025

JSON object

Loading...
6.7
Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.8 / Impact: 5.9
Source: NVD

Description

A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid Administrator privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.

Affected (11)

Cisco
1 product
Identity Services Engine
Configuration A
11 vulnerable
Vulnerable SoftwareAffected Versions
Cisco
Identity Services Engine
Version 3.2.0
Identity Services Engine
Version 3.2.0 patch1
Identity Services Engine
Version 3.2.0 patch2
Identity Services Engine
Version 3.2.0 patch3
Identity Services Engine
Version 3.2.0 patch4
Identity Services Engine
Version 3.2.0 patch5
Identity Services Engine
Version 3.2.0 patch6
Identity Services Engine
Version 3.3.0
Identity Services Engine
Version 3.3.0 patch1
Identity Services Engine
Version 3.3.0 patch2
Identity Services Engine
Version 3.3.0 patch3

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

Source: psirt@cisco.com
Vendor Advisory

Timeline

No history available yet.