CVE-2020-27131

Description

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITYSYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities.

Risk Information

Base Score

9.8

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Exploitation Probability

88.492

Associated Vulnerability

Vulnerability	OS Platform
Cisco Security Manager Java Deserialization Vulnerabilities For Cisco Security Manager	NCM
Deserialization of Untrusted Data Vulnerability (CVE-2020-27131)	NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE

Patch ID	Patch Description
PATCH-1705795	Security Update for Cisco Security Manager 4.12(0.64)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234