CVE-2018-0150: Cisco IOS XE Software Static Credential Vulnerability

Recently, Cisco officially updated the security notice of the IOS XE Software high-risk vulnerability (CVE-2018-0150). This update adds to the scope of the vulnerability. Cisco IOS XE Software running on the Services Virtual Router (ISRv) is also affected by this vulnerability, so please pay attention. This vulnerability (CVE-2018-0150) could allow an attacker to remotely control a Cisco IOS XE Software device with the highest privilege without being authenticated.

CVSS score

CVSS score: 9.8, CVSS: 3.0/ AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H

Affected version:

• Cisco IOS XE Software 16.5.x version < 16.5.2
• Cisco IOS XE Software 16.6.x version < 16.6.1
• Cisco IOS XE Software running on the Services Virtual Router (ISRv)

Unaffected version:

• Cisco IOS XE Software version < 16.x
• Cisco IOS XE Software version 16.5.2
• Cisco IOS XE Software version 16.6.1

Solution

The Cisco official has released an update patch to fix the above vulnerability. Users can apply for an upgrade service with the Cisco license that has been purchased. The affected enterprises should contact the Cisco official in time to obtain the latest patch upgrade for protection.