April 24, 2023
Cisco Patches Critical Command Injection Vulnerability in Cisco Industrial Network Director
Cisco has addressed a critical security vulnerability discovered in the web UI component of Industrial Network Director (IND), which results from improper input validation while uploading a device pack.
- CVE-2023-20036 (CVSS score: 9.9, Critical) – Command Injection Vulnerability.
Successful exploit of this vulnerability could allow a threat actor to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device.
- Cisco IND 1.11.2 and prior.
CYREBRO recommends updating relevant products up to version 1.11.3.
References: Cisco Advisory.