// For flags

CVE-2018-15465

Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability

Severity Score

8.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.

Una vulnerabilidad en el subsistema de autorización de Cisco Adaptive Security Appliance (ASA) Software podría permitir que un atacante remoto autenticado, pero sin privilegios (niveles 0 y 1), realice acciones privilegiadas mediante el uso de la interfaz de gestión web. La vulnerabilidad se debe a la validación incorrecta de los privilegios del usuario al emplear la interfaz de gestión web. Un atacante podría explotar esta vulnerabilidad enviando peticiones HTTP específicas mediante HTTPS al dispositivo afectado como usuario sin privilegios. Su explotación podría permitir que el atacante recupere archivos (incluyendo la configuración en ejecución) del dispositivo o suba y reemplace imágenes del software en el dispositivo.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-08-17 CVE Reserved
  • 2018-12-24 CVE Published
  • 2024-05-11 EPSS Updated
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-285: Improper Authorization
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cisco
Search vendor "Cisco"
Adaptive Security Appliance Software
Search vendor "Cisco" for product "Adaptive Security Appliance Software"
< 9.4.4.29
Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " < 9.4.4.29"
-
Affected
Cisco
Search vendor "Cisco"
Adaptive Security Appliance Software
Search vendor "Cisco" for product "Adaptive Security Appliance Software"
>= 9.5 < 9.6.4.20
Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.5 < 9.6.4.20"
-
Affected
Cisco
Search vendor "Cisco"
Adaptive Security Appliance Software
Search vendor "Cisco" for product "Adaptive Security Appliance Software"
>= 9.7 < 9.8.3.18
Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.7 < 9.8.3.18"
-
Affected
Cisco
Search vendor "Cisco"
Adaptive Security Appliance Software
Search vendor "Cisco" for product "Adaptive Security Appliance Software"
>= 9.9 < 9.9.2.36
Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.9 < 9.9.2.36"
-
Affected
Cisco
Search vendor "Cisco"
Adaptive Security Appliance Software
Search vendor "Cisco" for product "Adaptive Security Appliance Software"
>= 9.10 < 9.10.1.7
Search vendor "Cisco" for product "Adaptive Security Appliance Software" and version " >= 9.10 < 9.10.1.7"
-
Affected