Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability in the HTTP Server feature of Cisco IOS Software and Cisco IOS XE Software Release 3E could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malformed HTTP requests to an affected device. A successful exploit could allow the attacker to cause a watchdog timer to expire and the device to reload, resulting in a DoS condition. To exploit this vulnerability, the attacker must have a valid user account.
AnalysisAI
HTTP Server input validation failures in Cisco IOS and IOS XE Release 3E enable authenticated remote attackers to trigger device reloads via malformed requests, causing denial of service. An attacker with valid credentials can exploit improper input handling to exhaust watchdog timers and force unexpected system restarts. No patch is currently available for this vulnerability affecting Cisco and Apple products.
Technical ContextAI
This vulnerability stems from CWE-228 (Improper Handling of Syntactically Invalid Structure), where the HTTP Server component in Cisco IOS and IOS XE software fails to properly validate user-supplied input in HTTP requests. The affected products span a wide range of Cisco network devices running IOS versions from 12.2 through 15.9 and IOS XE versions from 3.5 through 3.18, as indicated by CPE entries cpe:2.3:a:cisco:ios and cpe:2.3:a:cisco:cisco_ios_xe_software. The HTTP Server feature, when enabled on these devices, processes incoming HTTP requests without adequate input sanitization, allowing malformed requests to trigger watchdog timer failures that force a device reload. The vulnerability's scope change (S:C) in the CVSS vector indicates that the impact extends beyond the vulnerable component itself.
RemediationAI
Apply security updates as recommended in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-dos-sbv8XRpL, which provides specific fixed versions for each affected release train. Until patching is completed, disable the HTTP Server feature if not required for management operations using the 'no ip http server' and 'no ip http secure-server' commands in global configuration mode. If HTTP/HTTPS management access is necessary, implement strict access control lists (ACLs) to limit HTTP Server access to only trusted management networks and IP addresses, enforce strong authentication mechanisms, and monitor for suspicious HTTP request patterns that could indicate exploitation attempts. Deploy out-of-band management networks where possible to isolate device management traffic from production networks. Prioritize patching for devices with internet-facing management interfaces or those accessible from less-trusted network segments.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15449