Cisco Web Security Appliance Privilege Escalation Vulnerability [CVE-2021-1359]

CVE number – CVE-2021-1359

A vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root.

This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files that contain scripting code to a vulnerable device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. An attacker would need a valid user account with the rights to upload configuration files to exploit this vulnerability.

This vulnerability affects Cisco AsyncOS for Cisco WSA, both virtual and hardware appliances.

Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table:

Cisco AsyncOS for Web Security Appliance Major ReleaseFirst Fixed Release
11.8 and earlier11.8.4-004
14.0Not affected.

1. Release 12.5.2 will be a Maintenance Release (MR) a few days after the publication date of this security advisory.

In most cases, the software can be upgraded over the network by using the System Upgrade options in the Cisco WSA web interface. To upgrade a device by using the web interface, do the following:

  1. Choose System Administration > System Upgrade.
  2. Click Upgrade Options.
  3. Choose Download and Install.
  4. Choose the release to upgrade to.
  5. In the Upgrade Preparation area, choose the appropriate options.
  6. Click Proceed to begin the upgrade. A progress bar displays the status of the upgrade.

After the upgrade is complete, the device reboots.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: