Skip to main content

Cisco Crosswork CVE-2026-20220

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-17 cisco
6.3
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
6.3 MEDIUM

Network vector via web interface, low complexity once credentials held; PR:L reflects mandatory write-permissioned template account; limited C/I/A due to scoped filesystem access.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 16:58 vuln.today
CVE Published
Jun 17, 2026 - 16:17 cve.org
MEDIUM 6.3

DescriptionCVE.org

A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device.

This vulnerability is due to insufficient input validation in the configuration template engine of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system in limited areas of the file system. This vulnerability affects only areas of the operating system for which the template user has write permissions.  To exploit this vulnerability, the attacker must have valid template user credentials with write permissions. Template users with read permissions cannot exploit this vulnerability. 

AnalysisAI

Authenticated remote OS command injection in Cisco Crosswork Network Controller's web-based management interface allows a threat actor holding valid template user credentials with write permissions to execute arbitrary commands on the underlying operating system. The flaw resides in the configuration template engine, which fails to adequately validate attacker-supplied input before processing it, enabling CWE-74 injection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain template user credentials with write permissions
Delivery
Authenticate to Crosswork web management interface
Exploit
Craft malicious template injection payload
Execution
Submit crafted request to template engine endpoint
Persist
Template engine processes unsanitized input
Impact
Execute arbitrary OS commands in write-permitted filesystem areas

Vulnerability AssessmentAI

Exploitation Exploitation requires valid Cisco Crosswork template user credentials specifically assigned write permissions - template users with read-only permissions are explicitly confirmed not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 6.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L is internally consistent and proportionate given the authentication requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid Cisco Crosswork template user credentials with write permissions - through phishing, credential reuse, or insider access - logs into the web-based management interface and submits a crafted HTTP request containing template injection payloads targeting the configuration template engine. The unsanitized input is processed by the template engine and passed to the underlying OS command interpreter, resulting in execution of attacker-controlled commands within the filesystem areas accessible to the template user. …
Remediation Consult the Cisco Security Advisory cisco-sa-cnc-inj-QNMeEmxk at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cnc-inj-QNMeEmxk for exact fixed software versions and upgrade instructions, as no specific patched version was enumerated in the available intelligence data - patch availability is confirmed per vendor advisory but the precise fix version must be obtained from Cisco directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-20220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy