A vulnerability in the web UI of Cisco IOS XE Software could allow an unauthenticated, remote attacker to access sensitive configuration information.
The vulnerability is due to improper access control to files within the web UI. An attacker could exploit this vulnerability by sending a malicious request to an affected device, according to Cisco. A successful exploit could allow the attacker to gain access to sensitive configuration information.
The vulnerability affects Cisco devices running an affected release of Cisco IOS XE Software with the web server feature enabled.
Click here for information about which Cisco IOS XE Software releases are vulnerable.
Cisco has confirmed this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.
There are no workarounds that address this vulnerability, which has a CVSS score of 7.5.
Cisco released software updates that address the vulnerability. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.
Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability, which was found during internal security testing.