Cisco IOS XE SD-WAN Software Parameter Injection Vulnerabilities
Description
Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges. These vulnerabilities are due to insufficient input validation of certain CLI commands. An attacker could exploit these vulnerabilities by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to access the underlying operating system with root privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated local admin can inject parameters to reach a ConfD show-mode shell and gain root privileges on Cisco IOS XE SD-WAN devices.
Vulnerability
The vulnerabilities reside in the CLI of Cisco IOS XE SD-WAN Software. The request platform software sdwan shell command, used to connect to ConfD in configuration mode, lacks sufficient input validation on the username parameter. An attacker can inject spaces and dashes to alter the underlying command-line arguments. Affected versions include multiple releases; specific fixed versions are detailed in Cisco Advisory cisco-sa-xesdwpinj-V4weeqzU [2].
Exploitation
An attacker must be authenticated as an administrative user (privilege level 15). By crafting a malicious username containing spaces and dashes (e.g., admin'" -g sdwan-oper "), the attacker can manipulate the groups parameter passed to confd_cli. This forces ConfD to open in "show mode" instead of the intended configuration mode. The show-mode prompt exposes the vshell command, which provides a shell as the binos user [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands as binos, a low-privileged user inside the ConfD container. From this shell, privilege escalation to a full unrestricted root shell on the underlying IOS XE operating system is trivial (e.g., via telnet 127.0.0.1). The attacker gains complete control over the device [1].
Mitigation
Cisco has released software updates to address these vulnerabilities. The first fixed releases are identified in the Cisco Security Advisory; customers should upgrade to the specified patched versions [2]. No workarounds are available. The vulnerability is not listed in the CISA KEV catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: unspecified
- Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input validation of the username parameter in the CLI command allows parameter injection into the underlying `confd_cli` invocation."
Attack vector
An authenticated administrative user crafts a `request platform software sdwan shell username` command with a specially crafted username string containing spaces and dashes, such as `admin'" -g sdwan-oper \"`. This injects the `-g sdwan-oper` argument into the underlying `confd_cli` invocation, forcing the session into "show mode" which exposes the `vshell` command. From `vshell`, the attacker can execute arbitrary shell commands as the `binos` user, and then trivially escalate to root by running `telnet 127.0.0.1` or launching a new `confd_cli` session with `-U 0 -G 0`.
Affected code
The vulnerability resides in the CLI command handling of Cisco IOS XE SD-WAN Software, specifically in the `request platform software sdwan shell username` command. The `execute_confd_cli.sh` script passes the `username` parameter without proper validation, allowing injection of spaces and dashes to alter the `--groups` argument passed to `confd_cli`.
What the fix does
The advisory states Cisco fixed this vulnerability in versions 17.2.3f, 17.3.3, 17.3.4a, 17.4.1b, 17.4.2, 17.5.1a, and 17.6.1a and later. No patch diff is provided in the bundle. The fix presumably adds input validation to the CLI command parser to reject or escape spaces and dashes in the username parameter, preventing parameter injection into the underlying `confd_cli` invocation. No workarounds are available.
Preconditions
- authAttacker must be authenticated as an administrative user (PRIV15) to execute the affected CLI commands.
- networkAttacker must have network or console access to the Cisco IOS XE SD-WAN device.
- configThe device must be running a vulnerable version of Cisco IOS XE SD-WAN Software (before the fixed releases listed in the advisory).
Reproduction
1. Authenticate to the Cisco IOS XE SD-WAN device as an administrative user (PRIV15). 2. Execute the crafted command: `request platform software sdwan shell username "admin'\" -g sdwan-oper \"" privilege 15`. 3. The session drops into a `vshell` prompt. 4. Run `id` to confirm execution as `binos` user. 5. Escalate to root by running `telnet 127.0.0.1` or `confd_cli -C -U 0 -G 0 -g sdwan-oper`.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwpinj-V4weeqzUmitrevendor-advisoryx_refsource_CISCO
- github.com/orangecertcc/security-research/security/advisories/GHSA-vw54-f9mw-g46rmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.