CVE-2021-1498

Cisco HyperFlex HX Command Injection Vulnerabilities

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-78

In short

Cisco HyperFlex HX's web interface has multiple flaws that let unauthenticated attackers inject and execute arbitrary commands on the device remotely. This is critical because the attacker needs no credentials and can completely compromise the system.

Technical detail

Unauthenticated remote command injection vulnerabilities in the Cisco HyperFlex HX web management interface (CWE-78) allow attackers to execute arbitrary system commands without authentication. The attack vector is network-based via the web interface; no pre-conditions or user interaction required. Impact includes full system compromise and unauthorized data access.

Summary generated and translated by AI from the official description.

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Cisco · Cisco HyperFlex HX Data Platform

public PoCs found — 1

cve_referencepacketstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1498