CVE-2019-1862 and CVE-2019-1904 are a pair of vulnerabilities I discovered in the Cisco IOS XE web management interface (WebUI) while working at Red Balloon Security.

100 Seconds of Solitude @ DEF CON 27

Slide from 100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans at DEF CON 27 (August 2019)

Combining a root command injection vulnerability with Cross-Site Request Forgery allowed us to demonstrate a way to remotely deliver the 😾😾😾 (Thrangrycat) exploit payload to a Cisco ASR 1001-X enterprise router (which cost about $10,000 per unit). The pair of vulnerabilities were discovered at the same time but disclosure of the CSRF vulnerability was delayed for a while, which made the issue initially appear to only be exploitable if someone already had administrator credentials and network access to a router’s management interface.

Cisco Security Advisory IDs: