CVE-2021-1264 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2021-1264?

CVE-2021-1264 has a CVSS score of 9.6 (CRITICAL). This vulnerability allows authenticated remote attackers to execute arbitrary CLI commands on devices managed by Cisco DNA Center through command injection in the Command Runner tool. It affects organizations using Cisco DNA Center for network management. Attackers can compromise managed network devices if they have valid credentials.

📋 TL;DR

This vulnerability allows authenticated remote attackers to execute arbitrary CLI commands on devices managed by Cisco DNA Center through command injection in the Command Runner tool. It affects organizations using Cisco DNA Center for network management. Attackers can compromise managed network devices if they have valid credentials.

💻 Affected Systems

Products:

Cisco DNA Center

Versions: Versions prior to 2.1.2.0

Operating Systems: Cisco DNA Center OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to Cisco DNA Center Command Runner tool or API.

📦 What is this software?

Catalyst Center by Cisco

View all CVEs affecting Catalyst Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all network devices managed by Cisco DNA Center, allowing lateral movement, data exfiltration, and network disruption.

🟠

Likely Case

Privilege escalation leading to unauthorized configuration changes, network monitoring, or credential harvesting from managed devices.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and least privilege access are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.2.0 and later

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-cmdinj-erumsWh9

Restart Required: Yes

Instructions:

1. Backup Cisco DNA Center configuration. 2. Download and install Cisco DNA Center version 2.1.2.0 or later from Cisco Software Center. 3. Follow Cisco's upgrade documentation for proper installation procedure. 4. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Restrict Command Runner Access

all

Limit access to Command Runner tool and API to only authorized administrators using role-based access controls.

Network Segmentation

all

Isolate Cisco DNA Center management network from production networks to limit potential lateral movement.

🧯 If You Can't Patch

Implement strict access controls and multi-factor authentication for all Cisco DNA Center administrative accounts.
Monitor and audit all Command Runner tool usage and API calls for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check Cisco DNA Center version via GUI (System > About) or CLI. Versions below 2.1.2.0 are vulnerable.

Check Version:

show version

Verify Fix Applied:

Confirm version is 2.1.2.0 or later and test Command Runner functionality with safe commands.

📡 Detection & Monitoring

Log Indicators:

Unusual Command Runner API calls
Suspicious CLI command execution patterns
Multiple failed authentication attempts followed by Command Runner access

Network Indicators:

Unusual outbound connections from Cisco DNA Center to managed devices
Anomalous command traffic patterns

SIEM Query:

source="cisco_dna_center" AND (event_type="command_runner" OR api_endpoint="/api/command-runner") AND command="*;*" OR command="*|*" OR command="*&*"

📊 Metadata

CVE ID: CVE-2021-1264

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CWE: CWE-78

Published: January 20, 2021

Last Updated: July 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1264, you might also want to check these: