Cisco IOS XE Software Command Authorization Bypass (cisco-sa-aaascp-Tyj4fEJm)

critical Nessus Plugin ID 192251


The remote device is missing a vendor-supplied security patch


According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

- A vulnerability in the Authentication, Authorization, and Accounting (AAA) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to bypass command authorization and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP). This vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using SCP to connect to an affected device from an external machine. A successful exploit could allow the attacker to obtain or change the configuration of the affected device and put files on or retrieve files from the affected device. (CVE-2023-20186)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.


Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwe55871

See Also

Plugin Details

Severity: Critical

ID: 192251

File Name: cisco-sa-aaascp-Tyj4fEJm-iosxe.nasl

Version: 1.4

Type: combined

Family: CISCO

Published: 3/19/2024

Updated: 4/19/2024

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 6.5


Risk Factor: High

Base Score: 8.3

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2023-20186


Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:ios_xe

Required KB Items: Host/Cisco/IOS-XE/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 9/27/2023

Vulnerability Publication Date: 9/27/2023

Reference Information

CVE: CVE-2023-20186

CISCO-SA: cisco-sa-aaascp-Tyj4fEJm

IAVA: 2023-A-0510-S