CVE-2023-20012

moderate-risk
Published 2023-02-23

A vulnerability in the CLI console login authentication of Cisco Nexus 9300-FX3 Series Fabric Extender (FEX) when used in UCS Fabric Interconnect deployments could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability is due to the improper implementation of the password validation function. An attacker could exploit this vulnerability by logging in to the console port on an affected device. A successful exploit could allow the attacker to bypass authentication and execute a limited set of commands local to the FEX, which could cause a device reboot and denial of service (DoS) condition.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
PHYSICAL / LOW complexity

Affected Products (6)

Nexus 93180Yc-Fx3S Firmware
Nexus 93180Yc-Fx3 Firmware
Ucs 6536 Firmware
Ucs 64108 Firmware
Ucs 6454 Firmware

Affected Vendors

Cisco

References (2)

Vendor Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
Vendor Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...
31
/ 100
moderate-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 13/34 · Low