What Is Cisco Prime DCNM?
Cisco Prime Data Center Network Manager (DCNM) is an enterprise network management platform for Cisco Nexus and MDS data center switches. It provides centralized provisioning, monitoring, topology visualization, and configuration management for data center fabric environments running NX-OS. DCNM is deployed in large enterprise and service provider data centers as the primary management plane for critical network infrastructure — making its security particularly significant, as compromise of a DCNM server provides administrative visibility and control over the entire managed network fabric.
Overview
CVE-2015-0666 is an unauthenticated directory traversal vulnerability in the fmserver servlet of Cisco Prime DCNM that allows remote attackers to read arbitrary files on the DCNM server filesystem. No authentication is required — an attacker can send a specially crafted HTTP request with path traversal sequences to read any file accessible to the DCNM application process, including configuration files, credentials, and system files. Fixed in Cisco Prime DCNM 7.1(1).
Affected Versions
| Cisco Prime DCNM | Status |
|---|---|
| DCNM < 7.1(1) | Vulnerable |
| DCNM 7.1(1) and later | Fixed |
Technical Details
Root Cause: Path Traversal in fmserver Servlet
The fmserver servlet in Cisco Prime DCNM handles requests for file management or media serving functions within the DCNM web application. The servlet does not adequately validate or restrict the file path specified in incoming HTTP requests — allowing ../ directory traversal sequences to escape the intended web root or application directory and reach arbitrary filesystem locations.
An attacker can craft a URL targeting fmserver with traversal sequences:
GET /fmserver/../../../../../../../../etc/passwd HTTP/1.1
Or on Windows-hosted DCNM:
GET /fmserver/..\..\..\..\windows\win.ini HTTP/1.1
The servlet processes the traversal without restriction and returns the contents of the requested file in the HTTP response.
High-Value Files Accessible
On a DCNM server, unauthenticated file read enables retrieval of:
- DCNM database credentials — for the embedded PostgreSQL or Oracle database
- Network device credentials — SNMP community strings, SSH keys, Telnet passwords stored in DCNM configuration
- SSL/TLS private keys — DCNM web server certificate keys
- OS-level credentials —
/etc/shadow(if process runs as root), Windows SAM hive paths - Application configuration —
dcnm.properties,server.xmlwith embedded credentials
Disclosure of network device credentials directly enables lateral movement to managed Nexus and MDS switches throughout the data center.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — HTTP request to DCNM web interface |
| Authentication | None required |
| Impact | Arbitrary file read — confidentiality only |
| High-Value Data | Device credentials, DB passwords, private keys |
| Affected Servlet | fmserver in Cisco Prime DCNM |
Discovery
Reported to Cisco and addressed in Cisco Security Advisory cisco-sa-20150401-dcnm (April 1, 2015). Cisco assigned bug ID CSCus00238.
Exploitation Context
- Data center infrastructure targeting: DCNM manages Cisco Nexus and MDS switches in enterprise and service provider data centers; compromise of DCNM credentials provides direct access to the managed network fabric
- Credential harvesting: Unauthenticated file read on a DCNM server enables retrieval of network device credentials (SNMP, SSH) without requiring any compromise of the devices themselves — the management plane becomes the attack path
- Nation-state interest in network infrastructure: Advanced threat actors consistently target network management systems as high-value footholds providing persistent visibility into network traffic and enabling lateral movement
- CISA KEV (2022): Added March 2022, confirming active exploitation against unpatched DCNM deployments in critical infrastructure environments
Remediation
-
Upgrade to Cisco Prime DCNM 7.1(1) or later. Verify the installed version via the DCNM GUI: Help → About Cisco Prime DCNM.
-
Restrict network access — DCNM should never be directly accessible from the internet or untrusted network segments. Restrict access to the DCNM web interface (TCP 443/80) to management network ranges only, using firewall ACLs.
-
Rotate credentials — if running a vulnerable version, assume DCNM configuration files may have been read. Rotate: DCNM database credentials, SNMP community strings for managed devices, SSH keys/passwords stored in DCNM, and the DCNM admin password.
-
Review DCNM access logs — examine HTTP access logs for traversal patterns (
../,%2e%2e) in requests targeting thefmserverendpoint. -
Apply Cisco DCNM hardening guidance — follow Cisco's DCNM deployment best practices for isolation and access control of the management platform.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2015-0666 |
| Vendor / Product | Cisco — Prime Data Center Network Manager (DCNM) |
| NVD Published | 2015-04-03 |
| NVD Last Modified | 2026-01-12 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') find similar ↗ |
| CISA KEV Added | 2022-03-25 |
| CISA KEV Deadline | 2022-04-15 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2015-04-01 | Cisco Security Advisory cisco-sa-20150401-dcnm published |
| 2015-04-03 | CVE-2015-0666 published by NVD |
| 2022-03-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2015-0666 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Cisco Security Advisory cisco-sa-20150401-dcnm — Cisco Prime DCNM File Disclosure Vulnerability | Vendor Advisory |