Description
A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access.

This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access.
Published: 2026-05-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a lack of proper file access checks in the web-based management interface of Cisco IoT Field Network Director, allowing an authenticated user with low privileges to retrieve arbitrary files. The flaw permits reading files that the user should not have permission to access, leading to potential exposure of sensitive configuration data, credentials, or proprietary information. It is classified as a CWE-388 Security Misconfiguration.

Affected Systems

Affected product is Cisco IoT Field Network Director (IoT-FND). No version information is provided, so any deployment of this product is potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The flaw requires authentication and low privileges, meaning only compromised or poorly protected accounts can exploit it. An attacker with such access could read configuration files and other sensitive data. The likely attack vector is remote, via the web-based management interface.

Generated by OpenCVE AI on May 6, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco IoT Field Network Director patch or upgrade to the latest version implementing proper file access checks.
  • Restrict the accounts that can log into the web-based management interface, enforcing least privilege so that low-privilege users cannot read protected files.
  • Enable logging and alerting for unauthorized file access attempts to detect exploitation.

Generated by OpenCVE AI on May 6, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco iot Field Network Director
Vendors & Products Cisco
Cisco iot Field Network Director

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access.
Title Cisco IoT Field Network Director Path Traversal Vulnerability
Weaknesses CWE-388
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cisco Iot Field Network Director
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-05-06T17:59:11.531Z

Reserved: 2025-10-08T11:59:15.391Z

Link: CVE-2026-20168

cve-icon Vulnrichment

Updated: 2026-05-06T17:59:08.080Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T17:16:20.590

Modified: 2026-05-06T18:59:53.230

Link: CVE-2026-20168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:15:34Z

Weaknesses