Cisco has patched critical vulnerabilities impacting its Industrial Network Director and Modeling Labs solutions.
The critical severity flaw in the web interface of the Industrial Network Detector tracked as CVE-2023-20036 with a CVSS score of 9.9. The issue exists because input was not properly validated when uploading a device pack. An authenticated attacker could alter the upload request and execute commands with administrative privileges.
Cisco IND version 1.11.3 resolves this vulnerability along with a medium-severity bug that could allow an attacker to read application data.
Another critical-severity flaw in the external authentication mechanism of Modeling Labs is an on-premises network simulation tool tracked as CVE-2023-20154 with a CVSS score of 9.1, the issue is the result of improper handling of certain messages returned by the external authentication server. The security defect was patched with the release of Modeling Labs version 2.5.1.
Successful exploitation of the vulnerability would allow the attacker to access and modify simulations and user-created data.
Cisco also patched high-severity vulnerabilities in StarOS software, and the BroadWorks network server tracked as CVE-2023-20046, which could lead to privilege escalation and denial-of-service.
Cisco is not aware of any of these vulnerabilities being exploited in attacks. Customers are advised to apply the available fixes as soon as possible, as unpatched Cisco products are known to have been exploited in the wild.