A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a command-injection exploit. The vulnerability is due to incorrect input validation of user-supplied data to the NX-API subsystem. An attacker could exploit this vulnerability by sending a malicious HTTP or HTTPS packet to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Note: NX-API is disabled by default. This vulnerability affects MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvd47415, CSCve03216, CSCve03224, CSCve03234.

Published : 2018-06-21 11:29 Updated : 2019-10-09 23:31

CVSS Score More info
Score 9.0 / 10
Vendor Product Version URI
Cisco Nx-os - cpe:/o:cisco:nx-os:-
Cisco Nx-os 7.0%280%29hsk%280.357%29 cpe:/o:cisco:nx-os:7.0%280%29hsk%280.357%29
Cisco Nx-os 8.0%281%29s20 cpe:/o:cisco:nx-os:8.0%281%29s20
Cisco Nx-os 8.1%280%29bd%280.20%29 cpe:/o:cisco:nx-os:8.1%280%29bd%280.20%29
Cisco Nx-os 8.1%280.97%29s0 cpe:/o:cisco:nx-os:8.1%280.97%29s0
Cisco Nx-os 8.1%281%29s5 cpe:/o:cisco:nx-os:8.1%281%29s5
  1. Cisco (1) Search CVE
    1. Nx-os (6) Search CVE
      1. -
      2. 7.0%280%29hsk%280.357%29
      3. 8.0%281%29s20
      4. 8.1%280%29bd%280.20%29
      5. 8.1%280.97%29s0
      6. 8.1%281%29s5


ID Name Description Links
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. CVE

History of changes

Date Event
2019-10-03 00:03
2018-08-20 21:13
2018-06-24 01:29
2018-06-21 11:29