CVE-2026-20220

Summary

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device.

This vulnerability is due to insufficient input validation in the configuration template engine of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system in limited areas of the file system. This vulnerability affects only areas of the operating system for which the template user has write permissions.  To exploit this vulnerability, the attacker must have valid template user credentials with write permissions. Template users with read permissions cannot exploit this vulnerability. 

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Crosswork Network Change Automation3.0.0affected
CiscoCisco Crosswork Network Change Automation3.0.1affected
CiscoCisco Crosswork Network Change Automation1.0.0affected
CiscoCisco Crosswork Network Change Automation2.0.0affected
CiscoCisco Crosswork Network Change Automation2.0.1affected
CiscoCisco Crosswork Network Change Automation3.0.2affected
CiscoCisco Crosswork Network Change Automation2.0.2affected
CiscoCisco Crosswork Network Change Automation3.0.3affected
CiscoCisco Crosswork Network Change Automation4.0.0affected
CiscoCisco Crosswork Network Change Automation4.1.0affected
CiscoCisco Crosswork Network Change Automation4.5.0affected
CiscoCisco Crosswork Network Change Automation4.1.1affected
CiscoCisco Crosswork Network Change Automation5.0.0affected
CiscoCisco Crosswork Network Change Automation4.5.1affected
CiscoCisco Crosswork Network Change Automation4.1.2affected
CiscoCisco Crosswork Network Change Automation5.0.1affected
CiscoCisco Crosswork Network Change Automation4.5.2affected
CiscoCisco Crosswork Network Change Automation5.0.2affected
CiscoCisco Crosswork Network Change Automation4.1.3affected
CiscoCisco Crosswork Network Change Automation6.0.0affected
CiscoCisco Crosswork Network Change Automation7.0.0affected
CiscoCisco Crosswork Network Change Automation4.1.4affected
CiscoCisco Crosswork Network Change Automation6.0.2affected
CiscoCisco Crosswork Network Change Automation5.0.3affected
CiscoCisco Crosswork Network Change Automation6.0.3affected
CiscoCisco Crosswork Network Change Automation5.0.4affected
CiscoCisco Crosswork Network Change Automation7.0.1affected
CiscoCisco Crosswork Network Change Automation6.0.4affected
CiscoCisco Crosswork Network Change Automation7.0.2affected
CiscoCisco Crosswork Network Change Automation7.1.0affected
CiscoCisco Crosswork Network Change Automation5.0.5affected
CiscoCisco Crosswork Network Change Automation7.0.3affected
CiscoCisco Crosswork Network Change Automation7.0.4affected
CiscoCisco Crosswork Network Change Automation7.1.1affected
CiscoCisco Crosswork Network Change Automation7.0.5affected
CiscoCisco Crosswork Network Change Automation7.2.0affected
CiscoCisco Crosswork Network Change Automation7.1.2affected

Weaknesses

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References