Cisco bug lets hackers run commands as root on UWRB access points

Cisco has fixed a maximum severity vulnerability that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points that provide connectivity for industrial wireless automation.

Tracked as CVE-2024-20418, this security flaw was found in Cisco's Unified Industrial Wireless Software's web-based management interface. Unauthenticated threat actors can exploit it in low-complexity command injection attacks that don't require user interaction.

"This vulnerability is due to improper validation of input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," Cisco said in a security advisory published on Wednesday.

"A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device."

As the company explains, the vulnerability impacts Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients, and Catalyst IW9167E Heavy Duty Access Points, but only if they're running vulnerable software and have the URWB operating mode enabled.

Cisco's Product Security Incident Response Team (PSIRT) has yet to discover evidence of publicly available exploit code or that this critical security flaw has been exploited in attacks.

Admins can determine if the URWB operating mode is enabled by checking if the "show mpls-config" CLI command is available. If the command is not available, URWB is disabled, and the device will not be affected by this vulnerability.

Cisco also fixed a denial-of-service flaw in its Cisco ASA and Firepower Threat Defense (FTD) software in July, which was discovered in April while exploited in large-scale brute-force attacks targeting Cisco VPN devices.

One month earlier, the company released security updates to address another command injection vulnerability with public exploit code that lets attackers escalate privileges to root on vulnerable systems.

​In July, CISA and the FBI urged software companies to eliminate path OS command injection vulnerabilities before shipping in response to recent attacks where Cisco, Palo Alto, and Ivanti network edge devices were compromised by exploiting multiple OS command injection security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887).