CVE-2023-20036
Published: 15 November 2024
Summary
CVE-2023-20036 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cisco Industrial Network Director. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in the web UI of Cisco Industrial Network Director (IND) stems from improper input validation during Device Pack uploads. An authenticated remote attacker can modify the associated HTTP request to inject operating system commands, resulting in arbitrary code execution as NT AUTHORITY\SYSTEM on the underlying Windows host. The flaw is tracked as CWE-78 and carries a CVSS 3.1 score of 9.9.
An attacker with valid credentials to the IND web interface can exploit the issue without user interaction by tampering with the upload workflow. Successful exploitation grants full administrative control over the affected device operating system, enabling persistence, lateral movement, or disruption of industrial network management functions.
Cisco has published software updates that remediate the vulnerability and states that no workarounds exist. The sole advisory reference is the vendor notice at sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V.
EPSS for the CVE reached a peak of 0.1235 on 2026-04-21 before receding to the current value of 0.0876; no public evidence of in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24215
Vulnerability details
A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when…
more
uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.