Security readout for executives and security teams
Plain-English summary
This Cisco vulnerability lets a logged-in local user read restricted system files on affected FXOS or NX-OS devices. The files may contain sensitive information useful for reconnaissance. It is not described as remotely exploitable without credentials, but it can increase risk if an account is compromised or over-privileged.
Executive priority
Treat as a moderate-priority network infrastructure issue. It is credentialed and local, but sensitive file disclosure on switches or security platforms can aid broader compromise. Prioritize validation on internet-adjacent, shared-admin, or high-trust network devices.
Technical view
CVE-2019-1734 is an information disclosure flaw in a CLI diagnostic command caused by incomplete RBAC verification. An authenticated local attacker with valid device credentials could provide crafted input to read arbitrary files from the device. CVSS 3.0 is 5.5, with high confidentiality impact only.
Likely exposure
Exposure is most relevant where Cisco FXOS or NX-OS devices allow CLI access to users whose roles should not read sensitive system files. The source bundle does not provide exact affected versions or fixed release trains.
Exploitation context
The attacker must already have valid credentials and local authenticated access to the device CLI. The bundle does not show CISA KEV listing or other evidence of active exploitation. Successful exploitation supports reconnaissance rather than direct code execution.
Researcher notes
Key constraints are AV:L, PR:L, UI:N, Scope unchanged, confidentiality high, integrity and availability none. The weakness is CWE-200 via incomplete RBAC on a diagnostic CLI path. Version and remediation specifics are not included in the bundle; rely on Cisco’s advisory for those details.
Mitigation direction
- Check Cisco’s advisory for affected releases and fixed software guidance.
- Upgrade affected FXOS or NX-OS software according to Cisco guidance.
- Restrict CLI access to trusted administrators only.
- Review device accounts for least-privilege RBAC assignments.
- Monitor for suspicious diagnostic command usage where logs support it.
Validation and detection
- Inventory Cisco FXOS and NX-OS devices in scope.
- Map running software versions against Cisco’s advisory.
- Review local CLI users and assigned roles.
- Confirm untrusted users cannot access sensitive diagnostic functions.
- Check administrative logs for unusual diagnostic command activity.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2019-1734 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.5 (3.0)
- Known Exploited
- No
- Published
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N1.83.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.0 score
5.5MediumVector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- 20190515 Cisco FXOS and NX-OS Software Sensitive File Read Information Disclosure VulnerabilityCVE reference · vendor-advisory, x_refsource_CISCO
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
