Cyber Resilience

CVE-2023-20036

CriticalRCE

Published: 15 November 2024

Published
15 November 2024
Modified
11 August 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0876 92.7th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20036 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cisco Industrial Network Director. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability in the web UI of Cisco Industrial Network Director (IND) stems from improper input validation during Device Pack uploads. An authenticated remote attacker can modify the associated HTTP request to inject operating system commands, resulting in arbitrary code execution as NT AUTHORITY\SYSTEM on the underlying Windows host. The flaw is tracked as CWE-78 and carries a CVSS 3.1 score of 9.9.

An attacker with valid credentials to the IND web interface can exploit the issue without user interaction by tampering with the upload workflow. Successful exploitation grants full administrative control over the affected device operating system, enabling persistence, lateral movement, or disruption of industrial network management functions.

Cisco has published software updates that remediate the vulnerability and states that no workarounds exist. The sole advisory reference is the vendor notice at sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V.

EPSS for the CVE reached a peak of 0.1235 on 2026-04-21 before receding to the current value of 0.0876; no public evidence of in-the-wild exploitation has been reported.

EU & UK References

Vulnerability details

A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to improper input validation when…

more

uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
industrial network director
≤ 1.11.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References