Unrated severityNVD Advisory· Published Feb 19, 2020· Updated Nov 15, 2024

Cisco Enterprise NFV Infrastructure Software Remote Code Execution Vulnerability

CVE-2020-3138

Description

A vulnerability in the upgrade component of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to install a malicious file when upgrading. The vulnerability is due to insufficient signature validation. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to upload crafted code to the affected device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco NFVIS upgrade component before 4.0.1 lacks signature validation, allowing authenticated local attackers to install a malicious file.

Vulnerability

An authenticated, local attacker can exploit insufficient signature validation in the upgrade component of Cisco Enterprise NFV Infrastructure Software (NFVIS) to install a malicious file during an upgrade. The vulnerability affects Cisco NFVIS releases 3.11.1 and earlier [1].

Exploitation

The attacker must have authenticated local access to the device and be able to provide a crafted upgrade file. The insufficient signature validation allows the attacker to bypass integrity checks and upload the malicious file as part of the upgrade process [1].

Impact

Successful exploitation allows the attacker to upload crafted code to the affected device, potentially leading to remote code execution with elevated privileges [1].

Mitigation

Cisco released fixed software in NFVIS release 4.0.1. There are no workarounds that address this vulnerability, but administrators can mitigate risk by manually verifying upgrade hashes against published hashes on the official Cisco website before upgrading [1].

References

Cisco Security Advisory: Cisco Enterprise NFV Infrastructure Software Remote Code Execution Vulnerability

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Enterprise NFV Infrastructure Software (NFVIS)llm-fuzzy
Cisco/NAv5
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-codex-shs4NhvSmitrevendor-advisoryx_refsource_CISCO

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000