CVE-2023-20036 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2023-20036?

CVE-2023-20036 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows authenticated remote attackers to execute arbitrary commands with SYSTEM privileges on Cisco IND devices by exploiting improper input validation during Device Pack uploads. It affects Cisco IND deployments with web UI access. Attackers can gain complete control over affected systems.

📋 TL;DR

This vulnerability allows authenticated remote attackers to execute arbitrary commands with SYSTEM privileges on Cisco IND devices by exploiting improper input validation during Device Pack uploads. It affects Cisco IND deployments with web UI access. Attackers can gain complete control over affected systems.

💻 Affected Systems

Products:

Cisco IND

Versions: All versions prior to the fixed release

Operating Systems: Windows-based underlying OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web UI interface. Device Pack upload functionality must be accessible.

📦 What is this software?

Industrial Network Director by Cisco

View all CVEs affecting Industrial Network Director →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the device with SYSTEM privileges, allowing installation of persistent malware, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Attackers with valid credentials gain full administrative control over affected devices to execute arbitrary commands, modify configurations, and potentially pivot to other systems.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the affected device only, though complete compromise of that device still occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid authentication credentials but is straightforward once authenticated. The vulnerability is in the Device Pack upload mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions. 2. Download and install the latest software update from Cisco. 3. Restart the affected device. 4. Verify the update was successful.

🧯 If You Can't Patch

Restrict network access to Cisco IND web UI to only trusted administrative networks
Implement strict access controls and monitor for unauthorized Device Pack upload attempts

🔍 How to Verify

Check if Vulnerable:

Check Cisco IND software version against affected versions listed in the Cisco advisory

Check Version:

Check version through Cisco IND web UI or administrative interface

Verify Fix Applied:

Verify the installed version matches or exceeds the fixed version specified in the Cisco advisory

📡 Detection & Monitoring

Log Indicators:

Unusual Device Pack upload activity
Multiple failed upload attempts followed by successful upload
Commands executed with SYSTEM privileges

Network Indicators:

HTTP POST requests to Device Pack upload endpoints with unusual payloads
Outbound connections from Cisco IND to unexpected destinations

SIEM Query:

source="cisco_ind" AND (event="device_pack_upload" OR cmd_exec*)

📊 Metadata

CVE ID: CVE-2023-20036

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: November 15, 2024

Last Updated: August 11, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20036, you might also want to check these: