CVE-2024-20289

Summary

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, low-privileged, local attacker to execute arbitrary commands on the underlying operating system of an affected device. 

This vulnerability is due to insufficient validation of arguments for a specific CLI command. An attacker could exploit this vulnerability by including crafted input as the argument of the affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the currently logged-in user.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco NX-OS Software9.3(3)affected
CiscoCisco NX-OS Software9.3(4)affected
CiscoCisco NX-OS Software9.3(5)affected
CiscoCisco NX-OS Software9.3(6)affected
CiscoCisco NX-OS Software10.1(2)affected
CiscoCisco NX-OS Software10.1(1)affected
CiscoCisco NX-OS Software9.3(5w)affected
CiscoCisco NX-OS Software9.3(7)affected
CiscoCisco NX-OS Software9.3(7k)affected
CiscoCisco NX-OS Software10.2(1)affected
CiscoCisco NX-OS Software9.3(7a)affected
CiscoCisco NX-OS Software9.3(8)affected
CiscoCisco NX-OS Software10.2(1q)affected
CiscoCisco NX-OS Software10.2(2)affected
CiscoCisco NX-OS Software9.3(9)affected
CiscoCisco NX-OS Software10.1(2t)affected
CiscoCisco NX-OS Software10.2(3)affected
CiscoCisco NX-OS Software10.2(3t)affected
CiscoCisco NX-OS Software9.3(10)affected
CiscoCisco NX-OS Software10.2(2a)affected
CiscoCisco NX-OS Software10.3(1)affected
CiscoCisco NX-OS Software10.2(4)affected
CiscoCisco NX-OS Software10.3(2)affected
CiscoCisco NX-OS Software9.3(11)affected
CiscoCisco NX-OS Software10.3(3)affected
CiscoCisco NX-OS Software10.2(5)affected
CiscoCisco NX-OS Software9.3(12)affected
CiscoCisco NX-OS Software10.2(3v)affected
CiscoCisco NX-OS Software10.4(1)affected
CiscoCisco NX-OS Software10.3(99w)affected
CiscoCisco NX-OS Software10.2(6)affected
CiscoCisco NX-OS Software10.3(3w)affected
CiscoCisco NX-OS Software10.3(99x)affected
CiscoCisco NX-OS Software10.3(3o)affected
CiscoCisco NX-OS Software10.3(4)affected
CiscoCisco NX-OS Software10.3(3p)affected
CiscoCisco NX-OS Software10.3(4a)affected
CiscoCisco NX-OS Software10.4(2)affected
CiscoCisco NX-OS Software10.3(3q)affected
CiscoCisco NX-OS Software10.3(3x)affected
CiscoCisco NX-OS Software10.3(4g)affected
CiscoCisco NX-OS Software10.3(3r)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(2h)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(2j)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(3d)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(3e)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(4c)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(5h)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(3g)affected
CiscoCisco NX-OS System Software in ACI Mode16.0(5j)affected

Weaknesses

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References