September 4, 2024 By Sergiu Gatlan
Cisco has fixed a command injection vulnerability with public exploit code that lets attackers escalate privileges to root on vulnerable systems.
Tracked as CVE-2024-20469, the security flaw was found in Cisco's Identity Services Engine (ISE) solution, an identity-based network access control and policy enforcement software that enables network device administration and endpoint access control in enterprise environments.
This OS command injection vulnerability is caused by insufficient validation of user-supplied input. Local attackers can exploit this weakness by submitting maliciously crafted CLI commands in low-complexity attacks that don't require user interaction.
However, as Cisco explains, threat actors can only exploit this flaw successfully if they already have Administrator privileges on unpatched systems.