Cyber Resilience

CVE-2018-0171

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 28 March 2018

Published
28 March 2018
Modified
14 January 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9290 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-0171 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ios. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software stems from improper validation of packet data, which can lead to a buffer overflow. Affected devices accept Smart Install messages on TCP port 4786, and successful exploitation can produce a reload, an indefinite loop triggering a watchdog crash, or arbitrary code execution. The issue is tracked as Cisco Bug ID CSCvg76186 and is assigned CWE-20 and CWE-787.

An unauthenticated remote attacker can exploit the flaw by sending a crafted Smart Install message to an exposed device. With no authentication or user interaction required, a successful attack yields high-impact outcomes including full control of the device or a persistent denial-of-service condition, reflected in the CVSS 3.1 score of 9.8.

Public advisories from Cisco, ICS-CERT, SecurityFocus, and SecurityTracker describe the same attack vector and direct administrators to the corresponding Cisco Security Advisory for mitigation steps and software updates. No information on observed in-the-wild exploitation is supplied in the source references.

EU & UK References

Vulnerability details

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to…

more

execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios
15.2\(5\)e

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (here, Smart Install packets on TCP 4786) to block the malformed data that triggers the buffer overflow.

prevent

Enforces authentication and authorization before any access to the Smart Install service, eliminating the unauthenticated remote attack path.

prevent

Boundary-protection rules can block or restrict inbound traffic to TCP port 4786 from untrusted networks, limiting exposure of the vulnerable listener.

References