Severity: High
CVE ID: CVE-2026-12573
Affected Software Version(s): DDI Central 6.2.0 / Build 6200
Fixed Version: Build 6201
Fixed on: June 18, 2026
Details:
The ManageEngine DDI Central 6.2.0 build 6200 had a Cisco IOS command injection vulnerability in DHCP pool name handling. This issue could allow an authenticated operator to pass unsafe DHCP pool names during Cisco router provisioning, potentially leading to arbitrary command execution on managed Cisco routers.
The vulnerability has been fixed by validating DHCP pool names using a strict allowlist and rejecting unsafe IOS-significant characters before router provisioning begins.
Impact:
Successful exploitation of this vulnerability could result in arbitrary command execution on managed Cisco routers.
Steps to upgrade:
Update your DDI Central Console and Node Agent instances to the latest build 6201 using the service pack.
Acknowledgements:
This issue was reported by d3lt4_2410.