Cisco IOS XE SD-WAN Software Console Privilege Escalation Vulnerability

Vulnerability

A vulnerability in the role-based access control of Cisco IOS XE SD-WAN Software allows an authenticated, local attacker with read-only privileges to obtain administrative privileges by using the console port when the device is in the default SD-WAN configuration. This occurs because the default configuration for console authentication and authorization is applied, granting excessive privileges. Affected versions include certain releases of Cisco IOS XE SD-WAN Software; refer to the Cisco Security Advisory [1] for a complete list.

Exploitation

An attacker must have local access to the device's console port and possess valid read-only user credentials. The device must be operating under the default SD-WAN configuration. The attacker connects to the console port, authenticates as a read-only user, and then leverages the default authorization settings to gain administrative access. No additional user interaction is required beyond the initial authentication.

Impact

Successful exploitation allows the attacker to escalate from read-only privileges to full administrative privileges on the affected Cisco IOS XE SD-WAN device. This grants the attacker complete control over the device, including the ability to modify configurations, access sensitive data, and potentially disrupt network operations.

Mitigation

Cisco has released software updates to address this vulnerability. Customers should upgrade to a fixed software release as specified in the Cisco Security Advisory [1]. As a workaround, administrators can modify the console authentication and authorization configuration to enforce least privilege, though this may not be feasible in all deployments. No public exploitation has been reported at the time of publication.