Cisco discloses root escalation flaw with public exploit code

Cisco has released patches for a high-severity Integrated Management Controller (IMC) vulnerability with public exploit code that can let local attackers escalate privileges to root.

Cisco IMC is a baseboard management controller for managing UCS C-Series Rack and UCS S-Series Storage servers via multiple interfaces, including XML API, web (WebUI), and command-line (CLI) interfaces.

"A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root," the company explains.

"To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device."

Tracked as CVE-2024-20295, this security flaw is caused by insufficient validation of user-supplied input, a weakness that can be exploited using crafted CLI commands as part of low-complexity attacks.

The vulnerability impacts the following Cisco devices running vulnerable IMC versions in default configurations:

However, it also exposes a long list of other products to attacks if they're configured to provide access to the vulnerable Cisco IMC CLI.

Cisco's Product Security Incident Response Team (PSIRT) also warned in today's advisory that proof-of-concept exploit code is already available, but luckily, threat actors have yet to start targeting the vulnerability in attacks.

In October, the company released security patches for two zero-days, which were used to breach over 50,000 IOS XE devices within a week.

Attackers also exploited a second IOS and IOS XE zero-day last year, allowing them to hijack vulnerable devices via remote code execution.

More recently, Cisco warned of a large-scale and ongoing credential brute-forcing campaign targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices after urging customers to mitigate password-spraying attacks against Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.