CVE-2017-12230

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software versions 16.2 and later, if the HTTP Server feature is enabled for the device.

Description A vulnerability in the web-based user interface of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges on an affected device. The vulnerability is due to incorrect default permission settings for new users who are created by using the web UI of the affected software. An attacker could exploit this vulnerability by using the web UI to create a new user and then logging into the web UI as the newly created user. A successful exploit could allow the attacker to elevate their privileges on the affected device.

Recommendations For Cisco IOS XE Software version 16.2, update to a version that includes the fix for this vulnerability. For devices with the HTTP Server feature enabled, consider disabling the feature until a patch is applied. As a temporary workaround, consider restricting access to the web-based user interface to minimize the risk of exploitation.