CVE-2018-0152

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software versions prior to the fixed version

Description The issue is related to the web-based user interface of Cisco IOS XE Software, where a vulnerability exists due to the software not resetting the privilege level for each web UI session. This could allow an authenticated, remote attacker to gain elevated privileges on an affected device by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affected device with the privileges of the user who previously logged in to the web UI. The vulnerability affects Cisco devices running a vulnerable release of Cisco IOS XE Software, with the HTTP Server feature enabled and authentication, authorization, and accounting (AAA) authorization not configured for EXEC sessions.

Recommendations For Cisco IOS XE Software versions prior to the fixed version, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the HTTP Server feature until a patch is available. Restrict access to VTY lines to minimize the risk of exploitation. Configure authentication, authorization, and accounting (AAA) authorization for EXEC sessions to reduce the attack surface.