Strix
26.1K

CVE-2020-3446

CRITICALCVSS 9.8/10EPSS 1.39%

Last modified

CVE-2020-3446 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A vulnerability in Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password. The vulnerability exists because the affected software has user accounts with default, static passwords. EPSS estimates a 1.39% chance of exploitation in the next 30 days.

Description

A vulnerability in Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password. The vulnerability exists because the affected software has user accounts with default, static passwords. An attacker with access to the NFVIS CLI of an affected device could exploit this vulnerability by logging into the CLI. A successful exploit could allow the attacker to access the NFVIS CLI with administrator privileges.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
1.39%

68.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoEncs 5406-W Firmware6.4\(1\)
CiscoEncs 5406-W Firmware6.4\(3d\)
CiscoEncs 5408-W Firmware6.4\(1\)
CiscoEncs 5408-W Firmware6.4\(3d\)
CiscoEncs 5412-W Firmware6.4\(1\)
CiscoEncs 5412-W Firmware6.4\(3d\)
CiscoCsp 5228-W Firmware6.4\(1\)
CiscoCsp 5228-W Firmware6.4\(3d\)
CiscoCsp 5436-W Firmware6.4\(1\)
CiscoCsp 5436-W Firmware6.4\(3d\)

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-3446?
A vulnerability in Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for Cisco ENCS 5400-W Series and CSP 5000-W Series appliances could allow an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password. The vulnerability exists because the affected software has user accounts with default, static passwords. An attacker with access to the NFVIS CLI of an affected device could exploit this vulnerability by logging into the CLI. A successful exploit could allow the attacker to access the NFVIS CLI with administrator privileges.
How severe is CVE-2020-3446?
CVE-2020-3446 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.39% probability of exploitation in the next 30 days.
How do I fix CVE-2020-3446?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-3446?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST