| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.4 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Cisco Connected Mobile Experiences. The affected element is an unknown function. Such manipulation leads to permission. This vulnerability is referenced as CVE-2020-3152. The attack can only be performed from a local environment. No exploit is available. The affected component should be upgraded.
Details
A vulnerability was found in Cisco Connected Mobile Experiences (the affected version unknown). It has been rated as critical. Affected by this issue is an unknown part. The manipulation with an unknown input leads to a permission vulnerability. Using CWE to declare the problem leads to CWE-275. Impacted is confidentiality, integrity, and availability. CVE summarizes:
A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges. The vulnerability is due to improper user permissions that are configured by default on an affected system. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, an attacker would need to have valid administrative credentials.
The weakness was published 08/19/2020 as cisco-sa-cmx-prvesc-6g37hjAL / CSCvs31094 as confirmed advisory (Website). The advisory is shared for download at tools.cisco.com. This vulnerability is handled as CVE-2020-3152. The attack needs to be approached locally. The exploitation requires an enhanced level of successful authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1222.
Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
License
Website
- Vendor: https://www.cisco.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.7VulDB Meta Temp Score: 6.6
VulDB Base Score: 6.7
VulDB Temp Score: 6.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
Vendor Base Score (Cisco): 6.7
Vendor Vector (Cisco): 🔍
NVD Base Score: 6.7
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: PermissionCWE: CWE-275 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
12/12/2019 🔍08/19/2020 🔍
08/19/2020 🔍
08/21/2020 🔍
11/10/2020 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-cmx-prvesc-6g37hjAL / CSCvs31094
Status: Confirmed
CVE: CVE-2020-3152 (🔍)
GCVE (CVE): GCVE-0-2020-3152
GCVE (VulDB): GCVE-100-160100
Entry
Created: 08/21/2020 15:31Updated: 11/10/2020 17:14
Changes: 08/21/2020 15:31 (48), 08/21/2020 15:36 (10), 11/10/2020 17:10 (1), 11/10/2020 17:14 (1)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.