Cyber Resilience

CVE-2017-3881

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 March 2017

Published
17 March 2017
Modified
22 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9428 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-3881 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ios. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and CM-7 (Least Functionality).

Deeper analysis

A vulnerability exists in the Cisco Cluster Management Protocol (CMP) processing code within Cisco IOS and Cisco IOS XE Software. The flaw stems from the protocol's use of Telnet for internal signaling between cluster members combined with a failure to restrict CMP-specific Telnet options to local communications and incorrect handling of malformed options. It affects a range of devices including Catalyst switches, IE Industrial Ethernet switches, ME 4924-10GE switches, RF Gateway 10, and multiple EtherSwitch service modules. The issue is tracked as Cisco Bug ID CSCvd48893 and carries a CVSS score of 9.8.

An unauthenticated remote attacker can exploit the vulnerability by initiating a Telnet session to an affected device configured to accept Telnet connections and sending specially crafted CMP-specific Telnet options. Successful exploitation grants the attacker the ability to execute arbitrary code with elevated privileges, resulting in full device control, or to trigger a reload that causes a denial of service.

The referenced Cisco Security Advisory cisco-sa-20170317-cmp along with associated security bulletins from SecurityFocus, SecurityTracker, and Exploit-DB entry 41872 provide details on available patches and workarounds. Public exploit code has been published, indicating that the issue is reproducible outside of controlled environments.

EU & UK References

Vulnerability details

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.…

more

The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios
12.2s — 15.1\(3\)svs
cisco
ios xe
3.2sg — 3.9e

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the unauthenticated Telnet-based CMP exploit by requiring authorization, encryption, and connection restrictions for remote management sessions.

prevent

Enforces disabling Telnet and non-essential CMP processing on exposed interfaces, eliminating the attack vector described in the CVE.

prevent

Requires prompt application of the vendor patch (CSCvd48893) that corrects the malformed CMP Telnet option handling flaw.

References