Security News > 2021 > February > Cisco Warns of Critical Auth-Bypass Security Flaw
A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication.
The flaw stems from improper token validation on an API endpoint in Cisco's ACI MSO. "A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller devices," said Cisco on Wednesday.
The glitch is considered critical because an attacker - without any authentication - could remotely could exploit it, merely by sending a crafted request to the affected API. Cisco said that ACI MSO versions running a 3.0 release of software are affected.
Another critical flaw for Cisco exists in the Application Services Engine.
The flaw affects Cisco Application Services Engine Software releases 1.1(3d) and earlier.
In January, Cisco warned of a high-severity flaw in its smart Wi-Fi solution for retailers, which could allow a remote attacker to alter the password of any account user on affected systems.
News URL
https://threatpost.com/cisco-critical-security-flaw/164255/
Related news
- 89% of Enterprise GenAI Usage Is Invisible to Organizations Exposing Critical Security Risks, New Report Reveals (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
- Critical Cisco Smart Licensing Utility flaws now exploited in attacks (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical flaw in Next.js lets hackers bypass authorization (source)
- Critical auth bypass bug in CrushFTP now exploited in attacks (source)