Security News > 2020 > December > Cisco fixes Security Manager vulnerabilities with public exploits
Cisco has released security updates to address multiple pre-authentication vulnerabilities with public exploits affecting Cisco Security Manager that could allow for remote code execution after successful exploitation.
Cisco Security Manager helps manage security policies on a large assortment of Cisco security and network devices, and it also provides summarized reports and security event troubleshooting capabilities.
These vulnerabilities impact Cisco Security Manager releases 4.22 and earlier and they were disclosed by Cisco on November 16, after being reported by Code White security researcher Florian Hauser in August.
Hauser shared proof-of-concept exploits for all 12 Cisco Security Manager vulnerabilities he reported after Cisco PSIRT stopped responding.
Cisco addressed two of the 12 vulnerabilities but didn't provide any security updates to fix multiple security bugs, collectively tracked as CVE-2020-27131.
News URL
Related news
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control (source)
- Cisco fixes root escalation vulnerability with public exploit code (source)
- Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security (source)
- Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-17 | CVE-2020-27131 | Deserialization of Untrusted Data vulnerability in Cisco Security Manager Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. | 9.8 |