CVE-2020-3180 : A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated

A vulnerability in Cisco SD-WAN Solution Software could allow an unauthenticated, local attacker to access an affected device by using an account that has a default, static password. This account has root privileges. The vulnerability exists because the affected software has a user account with a default, static password. An attacker could exploit this vulnerability by remotely connecting to an affected system by using this account. A successful exploit could allow the attacker to log in by using this account with root privileges.

Published 2020-07-16 18:15:17

Updated 2023-05-23 13:55:46

Source Cisco Systems, Inc.

View at NVD, CVE.org

Products affected by CVE-2020-3180

Cisco » Sd-wan
Versions from including (>=) 19.2.0 and before (<) 19.2.2
cpe:2.3:a:cisco:sd-wan:*:*:*:*:*:*:*:*
Matching versions
Cisco » Sd-wan
Versions from including (>=) 18.4.0 and before (<) 18.4.5
cpe:2.3:a:cisco:sd-wan:*:*:*:*:*:*:*:*
Matching versions
Cisco » Sd-wan
Versions from including (>=) 18.3.0 and before (<) 18.3.6
cpe:2.3:a:cisco:sd-wan:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » 1100-4g Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-4gltegb Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-4gltena Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-6g Integrated Services Router » Version: N/A
When used together with: Cisco » 1100 Integrated Services Router » Version: N/A
When used together with: Cisco » Vedge 100 » Version: N/A
When used together with: Cisco » Vedge 1000 » Version: N/A
When used together with: Cisco » Vedge 100b » Version: N/A
When used together with: Cisco » Vedge 100m » Version: N/A
When used together with: Cisco » Vedge 100wm » Version: N/A
When used together with: Cisco » Vedge 2000 » Version: N/A
When used together with: Cisco » Vedge 5000 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-3180

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-3180

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.4	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.5	5.9	Cisco Systems, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-3180

CWE-264

Assigned by: ykramarz@cisco.com (Secondary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-3180

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdscred-HfWWfqBj

Cisco SD-WAN Solution Software Static Credentials Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-3180

Products affected by CVE-2020-3180

Exploit prediction scoring system (EPSS) score for CVE-2020-3180

CVSS scores for CVE-2020-3180

CWE ids for CVE-2020-3180

References for CVE-2020-3180