Cisco disclosed a new high-severity vulnerability Wednesday, as well as a patch for the issue, which impacts the Cisco Integrated Management Controller used by numerous devices.
The tech giant said that no known exploitation was known to have occurred as of the disclosure of the root escalation vulnerability — though code that can be used to exploit the issue has been publicly released, Cisco noted.
[Related: 5 Things To Know About The Latest Firewall, VPN Attacks]
In an email Wednesday evening, Cisco said it was not aware of any exploitation of the flaw as of that point.
The vulnerability in the command-line interface of Cisco’s Integrated Management Controller (IMC) “could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root,” Cisco said in its advisoryWednesday. A threat actor must possess read-only privileges or higher to exploit the flaw, the company said.
ADVERTISEMENT
“A successful exploit could allow the attacker to elevate privileges to root,” Cisco said.
The vendor said the vulnerability (tracked at CVE-2024-20295) has been judged to have “high” severity with a rating of 8.8 out of 10.0.
Cisco devices must be running an impacted version of IMC with a default configuration to be affected, the company said.
The affected devices include UCS C-Series Rack Servers (in “standalone mode”) and UCS E-Series Servers, as well as 5000 Series Enterprise Network Compute Systems and Catalyst 8300 Series Edge uCPE, according to Cisco.
A lengthy list of additional Cisco products could also be affected if they are “based on a preconfigured version of a Cisco UCS C-Series Server [and] if they expose access to the Cisco IMC CLI,” the company said.
Products that are not affected include UCS B-Series Blade Servers, UCS C-Series Rack Servers (managed by Cisco UCS Manager), UCS S-Series Storage Servers and UCS X-Series Modular Systems, Cisco said.
Customers must apply available patches to protect against the issue since no workarounds have been released.
Cisco said that its Product Security Incident Response Team (PSIRT) is “aware that proof-of-concept exploit code is available for the vulnerability.” However, “the Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory,” the company said.