CVE-2022-20851: Cisco Security Advisory: Cisco IOS XE Software Web UI Command Injection Vulnerability

At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco IOS XE Software and had the web UI feature enabled.

For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

Determine the HTTP Server Configuration

To determine whether the HTTP Server feature is enabled for a device, log in to the device and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the device.

The following example shows the output of the show running-config | include ip http server|secure|active command for a device that has the HTTP Server feature enabled:

Router# show running-config | include ip http server|secure|active
ip http server
ip http secure-server

Note: The presence of either command or both commands in the device configuration indicates that the web UI feature is enabled.

If the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP.

If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

• IOS Software
• IOS XR Software
• Meraki products
• NX-OS Software