Cisco IOS XE SD-WAN Software Command Injection Vulnerability
Description
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root privileges on the underlying operating system. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to execute commands with root privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco IOS XE SD-WAN Software CLI command injection allows authenticated administrative users to execute arbitrary commands as root.
Vulnerability
Insufficient input validation in CLI commands of Cisco IOS XE SD-WAN Software allows command injection. Affected versions include those prior to 17.6.1a, 17.5.1a, 17.4.2, 17.3.4a, 17.3.3, 17.2.3, 17.2.2, 17.2.1v, 17.2.1r, 16.12.5, 16.12.4a, 16.12.4, 16.12.3, 16.11.1a [1][2].
Exploitation
An attacker must be authenticated as an administrative user. The attack leverages crafted input, including newline characters, to inject confd commands within sdwan wrapper commands, triggering the vshell command in Confd show mode, which grants a root shell [2].
Impact
Successful exploitation allows execution of arbitrary commands with root privileges on the underlying operating system, leading to full compromise of the device [1][2].
Mitigation
Cisco has released fixed versions as listed above. There are no workarounds [1][2]. Customers should upgrade to a fixed release.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input validation on sdwan CLI commands allows newline injection, enabling an attacker to escape into Confd show mode and invoke the dangerous "vshell" command."
Attack vector
An authenticated administrative user can inject arbitrary commands by embedding newline characters within sdwan CLI commands. The attacker first enables "term shell" on the device, then issues a command such as "clear sdwan policy access-list" with a crafted double-quoted argument containing newlines and the "vshell" command. Because the input is not validated, the newline characters cause Confd to interpret subsequent lines as separate Confd commands, allowing the attacker to escape into the Confd show mode and execute the "vshell" command, which provides an unrestricted root shell [ref_id=1].
Affected code
The vulnerability exists in the CLI of Cisco IOS XE SD-WAN Software, specifically in the sdwan wrapping commands that are sent to Confd through confd_cli. The advisory identifies that Confd show mode (forced via the "sdwan-oper" group) contains the dangerous "vshell" command, which is not supposed to be accessible to cEdge users [ref_id=1].
What the fix does
The advisory does not include a patch diff, but states that Cisco fixed the vulnerability across multiple release trains starting from versions such as 17.6.1a, 17.5.1a, 17.4.2, and others listed in the advisory [ref_id=1]. No workarounds are available. The fix presumably adds input validation to strip or escape newline characters and other injection payloads from sdwan CLI commands before they are passed to confd_cli, preventing the Confd show mode "vshell" command from being reachable.
Preconditions
- authAttacker must be authenticated as an administrative user on the Cisco IOS XE SD-WAN device
- configThe 'term shell' feature must be enabled on the device to allow newline injection
- networkAttacker must have CLI access to the device (local or remote)
Reproduction
The advisory provides a proof-of-concept reproduction. On an affected device, enable terminal shell and then issue the following crafted command:
``` NR-4221-3#term shell NR-4221-3#clear sdwan policy access-list "aaaa DblQuotTkn>vshell DblQuotTkn> DblQuotTkn>id DblQuotTkn>" ```
The "id" command executes with root privileges, confirming command injection [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwcinj-t68PPW7mmitrevendor-advisoryx_refsource_CISCO
- github.com/orangecertcc/security-research/security/advisories/GHSA-7xfm-92p7-qc57mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.