Cisco Evolved Programmable Network Manager Arbitrary File Upload Vulnerability
TL;DR 📌
A medium-severity vulnerability has been identified in the Cisco Evolved Programmable Network Manager (EPNM) that allows authenticated attackers to upload arbitrary files. There are no workarounds available, and affected users should migrate to fixed software releases.
What happened 🕵️♂️
A vulnerability in the web-based management interface of Cisco EPNM could allow an authenticated, remote attacker to upload arbitrary files. This issue arises from improper validation of uploaded files, enabling an attacker with valid Config Managers credentials to exploit the vulnerability by sending a crafted file upload request to a specific API endpoint.
Affected products 🖥️
The vulnerability affects Cisco EPNM, specifically:
- Cisco EPNM Release 8.0 and earlier (requires migration to a fixed release)
- Cisco EPNM Release 8.1 is not vulnerable.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 8.0 and earlier | Migrate to a fixed release. | |
| 8.1 | Not vulnerable. | |
| 1.0 | Initial public release. | |
| Cisco EPNM | 8.1 | 8.0 and earlier |
Workarounds 🧯
There are no workarounds available to mitigate this vulnerability.
Risk in context 🎯
With a CVSS score of 4.3, this vulnerability is classified as Medium severity. The risk is primarily driven by the requirement for valid authentication, limiting exposure to authenticated users. However, the potential for arbitrary file upload could lead to further exploitation if not addressed.
Fast facts ⚡
- Vulnerability: Arbitrary file upload in Cisco EPNM
- CVSS Score: 4.3 (Medium)
- Exploitation: Requires valid credentials
- Workarounds: None available
- Fixed Software: Migrate to a fixed release for versions 8.0 and earlier
For leadership 🧭
This vulnerability poses a Medium risk to your organization, given its CVSS score of 4.3. It requires valid authentication, which limits exposure to internal users but still presents a threat of arbitrary file uploads. Immediate action is recommended to migrate to a fixed release if you are using Cisco EPNM version 8.0 or earlier.
Remediation ask: Patch within 7 days if using affected versions.
Operational impact: Expect a brief maintenance window with no configuration drift.
Now: Assess your current EPNM version.
Next: Migrate to a fixed release if on version 8.0 or earlier.
Later: Monitor for any updates or additional advisories from Cisco.