Security News > 2021 > February > Cisco Warns of Critical Auth-Bypass Security Flaw
A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication.
The flaw stems from improper token validation on an API endpoint in Cisco's ACI MSO. "A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller devices," said Cisco on Wednesday.
The glitch is considered critical because an attacker - without any authentication - could remotely could exploit it, merely by sending a crafted request to the affected API. Cisco said that ACI MSO versions running a 3.0 release of software are affected.
Another critical flaw for Cisco exists in the Application Services Engine.
The flaw affects Cisco Application Services Engine Software releases 1.1(3d) and earlier.
In January, Cisco warned of a high-severity flaw in its smart Wi-Fi solution for retailers, which could allow a remote attacker to alter the password of any account user on affected systems.
News URL
https://threatpost.com/cisco-critical-security-flaw/164255/
Related news
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Critical security hole in Apache Struts under exploit (source)
- The ongoing evolution of the CIS Critical Security Controls (source)
- Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9) (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)