Impact
The vulnerability is insufficient input validation within the web-based management interface’s configuration template engine. When an attacker sends a specially crafted request, the system interprets the data as a command, allowing execution of arbitrary shell commands on the underlying operating system. The attack is limited to filesystem paths that the authenticated template user can write to, but still permits the attacker to run any command within that scope. The weakness is listed as CWE-74.
Affected Systems
Cisco Crosswork Network Change Automation, accessed via its web-based management interface. No specific product versions are mentioned in the advisory; therefore all releases that include the vulnerable template engine may be at risk until a patch is released. The vendor explicitly targets only those template users who hold write permissions.
Risk and Exploitability
The CVSS base score of 6.3 classifies the flaw as a medium‑severity RCE. EPSS being below 1% suggests that, as of now, exploitation attempts are expected to be rare, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the exploit requires valid, write‑capable template credentials, an attacker who compromises or authenticates as such a user can gain control over the device’s operating system in the areas where the user can create or modify files. Mitigation relies on command‑line privileges tied to template accounts and network segmentation.
OpenCVE Enrichment