CVE-2017-3858

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software version 16.2.1

Description A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected web page parameter. A successful exploit could allow the attacker to execute commands with root privileges.

Recommendations For Cisco IOS XE Software version 16.2.1, update to a newer version that addresses this vulnerability. As a temporary workaround, consider restricting access to the HTTP Server feature to minimize the risk of exploitation. Avoid using the affected web page parameter until the issue is resolved.