Cisco ACE 4710 and ACE30 Application Control Engine CLI Privilege Escalation Vulnerability

ID CISCO-SA-20150826-CVE-2015-6265
Type cisco
Reporter Cisco
Modified 2015-08-31T19:47:23


A vulnerability in the command-line interface (CLI) of Cisco Application Control Engine (ACE) could allow an authenticated, local attacker to elevate privileges to read and alter the content of files that belong to other contexts.

The vulnerability is due to insufficient file access controls. An attacker could exploit this vulnerability by crafting a malicious file, copying it to the ACE, and using the file as input for a specific CLI command.

Cisco has confirmed the vulnerability; however, software updates are not available.

To exploit this vulnerability, an attacker must authenticate to the targeted device and have local network access. These access requirements may reduce the likelihood of a successful exploit.

Cisco would like to thank Jens Krabbenhoeft of Rauscher networX for reporting this vulnerability.