CVE-2026-20169 PUBLISHED

Cisco IoT Field Network Director Command Injection Vulnerability

Assigner: cisco
Reserved: 08.10.2025 Published: 06.05.2026 Updated: 06.05.2026

A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a remote router.

This vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to create, read, or delete files and execute limited commands in user EXEC mode on a remote router.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Product Status

Vendor Cisco
Product Cisco IoT Field Network Director (IoT-FND)
Versions Default: unknown
  • Version 4.5.1 is affected
  • Version 4.4.3 is affected
  • Version 4.1.0 is affected
  • Version 4.1.3 is affected
  • Version 4.6.1 is affected
  • Version 4.1.1 is affected
  • Version 4.4.0 is affected
  • Version 4.2.0 is affected
  • Version 4.4.2 is affected
  • Version 4.3.0 is affected
  • Version 4.6.0 is affected
  • Version 4.4.4 is affected
  • Version 4.3.2 is affected
  • Version 4.1.2 is affected
  • Version 4.4.1 is affected
  • Version 4.5.0 is affected
  • Version 4.3.1 is affected
  • Version 4.7.0 is affected
  • Version 4.6.2 is affected
  • Version 4.7.1 is affected
  • Version 4.7.2 is affected
  • Version 4.8.0 is affected
  • Version 4.8.1 is affected
  • Version 4.9.0 is affected
  • Version 4.9.1 is affected
  • Version 4.10.0 is affected
  • Version 4.9.2 is affected
  • Version 4.11.0 is affected
  • Version 4.12.0 is affected
  • Version 4.12.1 is affected

Exploits

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

References

Problem Types

  • Improper Neutralization of Special Elements used in a Command ('Command Injection') cwe