CVE-2023-20157

high-risk

Published 2023-05-18

Multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device. These vulnerabilities are due to improper validation of requests that are sent to the web interface. For more information about these vulnerabilities, see the Details section of this advisory.

Do I need to act?

0.48% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.6/10 High

NETWORK / LOW complexity

Affected Products (20)

Sf350-52Mp Firmware

Sf350-52P Firmware

Sf350-8Mp Firmware

Sf350-8Pd Firmware

Sf352-08 Firmware

Sf352-08Mp Firmware

Sf352-08P Firmware

Sf355-10P Firmware

Sf500-18P Firmware

Sf500-24 Firmware

Sf500-24Mp Firmware

Sf500-24P Firmware

Sf500-48 Firmware

Sf500-48Mp Firmware

Sf500-48P Firmware

Sf550X-24 Firmware

Sf550X-24Mp Firmware

Sf550X-24P Firmware

Sf550X-48 Firmware

Sf550X-48Mp Firmware

Affected Vendors

Cisco

References (2)

Vendor Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

/ 100

high-risk

Severity 29/34 · Critical

Exploitability 2/34 · Minimal

Exposure 33/34 · Critical