CiscoCISCO-SA-20141223-CVE-2014-7999Cisco Meraki Local Management Interface Firmware Installation Vulnerability
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
47.0%
A vulnerability in the local management interface of devices running Cisco Meraki firmware could allow an authenticated, remote attacker on an adjacent network to access a deprecated HTTP handler to install firmware.
An authenticated, remote attacker could exploit this vulnerability by authenticating to the local management interface and installing malicious firmware, overwriting the device configuration and possibly allowing the attacker to completely compromise the device.
Cisco Meraki has confirmed the vulnerability and released software updates.
An attacker must access networks adjacent to the targeted system to conduct an exploit, reducing the potential for attacks. In addition, the attacker must authenticate to the device’s administrative interface, further limiting the potential for exploitation.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cisco | meraki_ms_firmware | any | cpe:2.3:a:cisco:meraki_ms_firmware:any:*:*:*:*:*:*:* |
| cisco | meraki_mr_firmware | any | cpe:2.3:a:cisco:meraki_mr_firmware:any:*:*:*:*:*:*:* |
| cisco | meraki_mx_firmware | any | cpe:2.3:a:cisco:meraki_mx_firmware:any:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
47.0%