Cisco NX-OS Software NX-API Command Injection Vulnerability<p>A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with <em>root</em> privileges.</p>
<p>The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device. A successful exploit could allow the attacker to execute arbitrary commands with <em>root</em> privileges on the underlying operating system.</p>
<p><strong>Note:</strong> The NX-API feature is disabled by default.</p>
<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>
<p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2</a></p>
<p>This advisory is part of the February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74834" rel="nofollow">Cisco Event Response: February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20650
Source: Cisco NX-OS Software NX-API Command Injection Vulnerability (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20NX-OS%20Software%20NX-API%20Command%20Injection%20Vulnerability&vs_k=1)