Cyber Resilience

CVE-2015-0666

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 April 2015

Published
03 April 2015
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5998 98.3th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-0666 is a high-severity Path Traversal (CWE-22) vulnerability in Cisco Prime Data Center Network Manager. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2015-0666 is a directory traversal vulnerability, tracked as Bug ID CSCus00241 and assigned CWE-22, that affects the fmserver servlet in Cisco Prime Data Center Network Manager (DCNM) versions prior to 7.1(1). The flaw permits remote attackers to supply a crafted pathname and retrieve arbitrary files from the underlying system, resulting in a CVSS 3.1 base score of 7.5 with network attack vector, low complexity, and no required privileges or user interaction.

Unauthenticated attackers with network access can exploit the servlet directly to read sensitive files, achieving high confidentiality impact without affecting integrity or availability. The vulnerability can be reached over the network without authentication, enabling straightforward remote file disclosure.

Cisco Security Advisory cisco-sa-20150401-dcnm and associated vendor notices recommend upgrading affected DCNM installations to version 7.1(1) or later to address the issue. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

Directory traversal vulnerability in the fmserver servlet in Cisco Prime Data Center Network Manager (DCNM) before 7.1(1) allows remote attackers to read arbitrary files via a crafted pathname, aka Bug ID CSCus00241.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
prime data center network manager
6.3\(1\), 6.3\(2\), 7.0\(1\) · ≤ 7.0\(2\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates pathnames supplied to the fmserver servlet to reject crafted inputs that attempt directory traversal and arbitrary file reads.

prevent

Enforces access control policies on file resources so that unauthenticated remote requests cannot retrieve arbitrary files via the vulnerable servlet.

prevent

Controls information flows between the servlet and underlying file system to block unauthorized disclosure of files outside intended directories.

References