{"id":"CVE-2020-3417","details":"A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to execute persistent code at boot time and break the chain of trust. This vulnerability is due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables are set. An attacker could exploit this vulnerability by installing code to a specific directory in the underlying operating system (OS) and setting a specific ROMMON variable. A successful exploit could allow the attacker to execute persistent code on the underlying OS. To exploit this vulnerability, the attacker would need access to the root shell on the device or have physical access to the device.","modified":"2026-03-14T10:28:23.112273Z","published":"2020-09-24T18:15:18.730Z","references":[{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xbace-OnCEbyS"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-3417.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.18.0sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1asp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1bsp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1csp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1gsp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1hsp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1isp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.1sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.2asp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.2sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.3asp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.3bsp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.3sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.4sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.5sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.6sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.7sp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.8asp"}]},{"events":[{"introduced":"0"},{"last_affected":"3.18.8sp"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.4a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.4s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.5"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.5a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.5b"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.6"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.7"}]},{"events":[{"introduced":"0"},{"last_affected":"16.6.7a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.7.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.7.1b"}]},{"events":[{"introduced":"0"},{"last_affected":"16.7.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1b"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1c"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1d"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1e"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.1s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.8.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.1b"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.1c"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.1d"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.1s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.2a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.2s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.3a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.3h"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.3s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.4"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.4c"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.5"}]},{"events":[{"introduced":"0"},{"last_affected":"16.9.5f"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1b"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1c"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1d"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1e"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1f"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1g"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.1s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.11.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.11.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.11.1b"}]},{"events":[{"introduced":"0"},{"last_affected":"16.11.1c"}]},{"events":[{"introduced":"0"},{"last_affected":"16.11.1s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.11.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1c"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1t"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1w"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1x"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.1y"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.2a"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.2s"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.2t"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.12.3a"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1.1a"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1.1s"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1.1t"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}