CVE Catalog

CVE-2026-20220

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine.

Risk Assessment

An attacker with valid template user credentials with write permissions could exploit this vulnerability to execute commands in limited areas of the operating system. This could lead to unauthorized access to the system and potential damage.

Recommendation

Organizations are advised to update their Cisco Crosswork Network Controller devices to the latest software version to patch this vulnerability. Access to template user accounts with write permissions should also be restricted.

Original NVD description (English source)

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system in limited areas of the file system. This vulnerability affects only areas of the operating system for which the template user has write permissions.  To exploit this vulnerability, the attacker must have valid template user credentials with write permissions. Template users with read permissions cannot exploit this vulnerability. 

Vulnerability data from NVD (NIST) · CISA KEV · EPSS