cnvd - cnvd-2025-05712

CNVD-2025-05712

Vulnerability from cnvd - Published: 2025-03-24

Title

Cisco Meraki MX67和Cisco Meraki MX68访问验证错误漏洞

Description

‌Cisco Meraki MX67和Cisco Meraki MX68是思科Meraki系列的云管路由器。 Cisco Meraki MX67和Cisco Meraki MX68存在访问验证错误漏洞，该漏洞源于访问控制不当，攻击者可利用该漏洞导致信息泄露。

Severity

中

Patch Name

Cisco Meraki MX67和Cisco Meraki MX68访问验证错误漏洞的补丁

Patch Description

‌Cisco Meraki MX67和Cisco Meraki MX68是思科Meraki系列的云管路由器。 Cisco Meraki MX67和Cisco Meraki MX68存在访问验证错误漏洞，该漏洞源于访问控制不当，攻击者可利用该漏洞导致信息泄露。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网: https://documentation.meraki.com/General_Administration/Privacy_and_Security/Cisco_Meraki_MX67_and_MX68_Sensitive_Information_Disclosure_Vulnerability

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-1815

Impacted products

Name
['Cisco Cisco Meraki MX67', 'Cisco Cisco Meraki MX68']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-1815",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-1815"
    }
  },
  "description": "\u200cCisco Meraki MX67\u548cCisco Meraki MX68\u662f\u601d\u79d1Meraki\u7cfb\u5217\u7684\u4e91\u7ba1\u8def\u7531\u5668\u3002\n\nCisco Meraki MX67\u548cCisco Meraki MX68\u5b58\u5728\u8bbf\u95ee\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://documentation.meraki.com/General_Administration/Privacy_and_Security/Cisco_Meraki_MX67_and_MX68_Sensitive_Information_Disclosure_Vulnerability",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-05712",
  "openTime": "2025-03-24",
  "patchDescription": "\u200cCisco Meraki MX67\u548cCisco Meraki MX68\u662f\u601d\u79d1Meraki\u7cfb\u5217\u7684\u4e91\u7ba1\u8def\u7531\u5668\u3002\r\n\r\nCisco Meraki MX67\u548cCisco Meraki MX68\u5b58\u5728\u8bbf\u95ee\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8bbf\u95ee\u63a7\u5236\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Meraki MX67\u548cCisco Meraki MX68\u8bbf\u95ee\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco Cisco Meraki MX67",
      "Cisco Cisco Meraki MX68"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-1815",
  "serverity": "\u4e2d",
  "submitTime": "2025-03-13",
  "title": "Cisco Meraki MX67\u548cCisco Meraki MX68\u8bbf\u95ee\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2019-1815 (GCVE-0-2019-1815)

Vulnerability from cvelistv5 – Published: 2025-03-04 18:14 – Updated: 2025-03-04 18:29

Title

Cisco Meraki MX67 and MX68 Sensitive Information Disclosure Vulnerability

Summary

A security vulnerability was discovered in the local status page functionality of Cisco Meraki’s MX67 and MX68 security appliance models that may allow unauthenticated individuals to access and download logs containing sensitive, privileged device information. The vulnerability is due to improper access control to the files holding debugging and maintenance information, and is only exploitable when the local status page is enabled on the device. An attacker exploiting this vulnerability may obtain access to wireless pre-shared keys, Site-to-Site VPN key and other sensitive information. Under certain circumstances, this information may allow an attacker to obtain administrative-level access to the device.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

cisco

References

URL

Tags

https://documentation.meraki.com/General_Administ…

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Meraki MX Firmware	Affected: N/A

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-1815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T18:29:15.690942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T18:29:27.408Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Meraki MX Firmware",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "N/A"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability was discovered in the local status page functionality of Cisco Meraki\u2019s MX67 and MX68 security appliance models that may allow unauthenticated individuals to access and download logs containing sensitive, privileged device information. The vulnerability is due to improper access control to the files holding debugging and maintenance information, and is only exploitable when the local status page is enabled on the device. An attacker exploiting this vulnerability may obtain access to wireless pre-shared keys, Site-to-Site VPN key and other sensitive information. Under certain circumstances, this information may allow an attacker to obtain administrative-level access to the device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "As of this publication date, Cisco Meraki is NOT aware of any active exploitation of this vulnerability, nor the public availability of any tool to exploit this vulnerability, nor details on how to exploit this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "format": "cvssV3_0"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-04T18:14:41.026Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "Cisco Meraki MX67 and MX68 Sensitive Information Disclosure Vulnerability",
          "url": "https://documentation.meraki.com/General_Administration/Privacy_and_Security/Cisco_Meraki_MX67_and_MX68_Sensitive_Information_Disclosure_Vulnerability"
        }
      ],
      "source": {
        "advisory": "Cisco Meraki MX67 and MX68 Sensitive Information Disclosure Vulnerability",
        "discovery": "EXTERNAL"
      },
      "title": "Cisco Meraki MX67 and MX68 Sensitive Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2019-1815",
    "datePublished": "2025-03-04T18:14:41.026Z",
    "dateReserved": "2018-12-06T00:00:00.000Z",
    "dateUpdated": "2025-03-04T18:29:27.408Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-05712

CVE-2019-1815 (GCVE-0-2019-1815)

Tags

Sightings

Nomenclature