This exploit is difficult to judge. Some exploitation scores for this vulnerability have been very high, and I understand why: This is a vulnerability on a typically externally facing, or universally-internally-facing service, but the service is optional. While certainly this is a priority to patch and mitigate, I find it hard to understand why a vulnerability on an optional service ranks as a 10/10 on vulnerability scores. That conclusion may be based on my ignorance of deployed Cisco products.
Edit

The issue with ranking exploitability even the vulnerability with rest api in this particular instance would be a combination of “are recommended measures in place to mitigate if it exists in the first place” and “how willing the actor would be be to exploit”. If the given scenario for exploitation presents itself, then it will be fairly quick and easy to exploit and get to the meat and begin enumerating other endpoints and privilege. To even conduct the reconnaissance necessary to have an idea of vulnerability seems a pretty difficult task in my limited knowledge.

That said, if identified and utilized, this is powerful.

While the vulnerable code resides within the Cisco REST API container, the effects of the vulnerability, if exploited, will be experienced on the Cisco device as a whole. This is because exploiting this vulnerability could allow an attacker to submit commands through the REST API that will be executed on the affected device.

The fact that in the blog post sited here on AttackerKB the author uses the work “only” when describing the hardware effected sets off a bit of an alarm bell in my opinion. Any CVE allowing commands at level specified to be issued on an endpoint is cause for concern, especially with something as simple to manipulate as REST API Most certainly if standard reconnaissance methods can identify.

Only the following Cisco platforms supports the affected Cisco REST API container and are therefore potentially impacted by this vulnerability:
    Cisco 4000 Series Integrated Services Routers
    Cisco ASR 1000 Series Aggregation Services Routers
    Cisco Cloud Services Router 1000V Series
    Cisco Integrated Services Virtual Router

Another thing we must remember as researchers, on either side, is that our analysis and public disclosure also acts and beneficial information for any threat actor. So, I’d say definitely be cautious in publishing information that downplays a CVE as it can appear complacency is setting in.

Okay, to end of all my unnecessary commentary I’d say this is a pretty useful vulnerability if risk of exploitation is obvious and in numbers exceeding risk matrices or thresholds developed by in house teams.

https://blogs.cisco.com/security/cve-2019-12643
https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html#~stickynav=1