April 24, 2023

Cisco Patches Critical Command Injection Vulnerability in Cisco Industrial Network Director

Cisco has addressed a critical security vulnerability discovered in the web UI component of Industrial Network Director (IND), which results from improper input validation while uploading a device pack.

The Vulnerability

• CVE-2023-20036 (CVSS score: 9.9, Critical) – Command Injection Vulnerability.
  Successful exploit of this vulnerability could allow a threat actor to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device.

Affected Product

• Cisco IND 1.11.2 and prior.

Mitigation

CYREBRO recommends updating relevant products up to version 1.11.3.

References: Cisco Advisory.