ID

VAR-202304-1775


CVE

CVE-2023-20036


TITLE

Cisco Industrial Network Director OS Command Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-01390

DESCRIPTION

A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Cisco Industrial Network Director (IND) is an industrial automation management system of Cisco. The system realizes automated management through visual operation of industrial Ethernet infrastructure. For more information about these vulnerabilities, see the Details section of this advisory. This advisory is available at the following link:sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V

Trust: 1.53

sources: NVD: CVE-2023-20036 // CNVD: CNVD-2025-01390 // VULMON: CVE-2023-20036

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-01390

AFFECTED PRODUCTS

vendor:ciscomodel:industrial network directorscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-01390

CVSS

SEVERITY

CVSSV2

CVSSV3

ykramarz@cisco.com: CVE-2023-20036
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2025-01390
value: HIGH

Trust: 0.6

CNVD: CNVD-2025-01390
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

ykramarz@cisco.com: CVE-2023-20036
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2025-01390 // NVD: CVE-2023-20036

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

sources: NVD: CVE-2023-20036

PATCH

title:Patch for Cisco Industrial Network Director OS Command Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/651406

Trust: 0.6

title:Cisco: Cisco Industrial Network Director Vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-ind-CAeLFk6V

Trust: 0.1

sources: CNVD: CNVD-2025-01390 // VULMON: CVE-2023-20036

EXTERNAL IDS

db:NVDid:CVE-2023-20036

Trust: 1.7

db:CNVDid:CNVD-2025-01390

Trust: 0.6

db:VULMONid:CVE-2023-20036

Trust: 0.1

sources: CNVD: CNVD-2025-01390 // VULMON: CVE-2023-20036 // NVD: CVE-2023-20036

REFERENCES

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ind-caelfk6v

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-20036

Trust: 0.6

sources: CNVD: CNVD-2025-01390 // VULMON: CVE-2023-20036 // NVD: CVE-2023-20036

SOURCES

db:CNVDid:CNVD-2025-01390
db:VULMONid:CVE-2023-20036
db:NVDid:CVE-2023-20036

LAST UPDATE DATE

2025-02-07T23:17:20.560000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-01390date:2025-01-14T00:00:00
db:NVDid:CVE-2023-20036date:2024-11-18T17:11:56.587

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-01390date:2025-01-14T00:00:00
db:NVDid:CVE-2023-20036date:2024-11-15T16:15:24.950