Security News

The under-attack bug is CVE-2020-3452, a path-traversal flaw in Switchzilla's Adaptive Security Appliance and Firepower Threat Defense software that can be used to "Read sensitive files on a targeted system." While there was no publicly available exploit code for the high-severity bug when first publicized, a day after issuing its advisory, Cisco said the flaw was being targeted in the wild. The vulnerabilities lie within the Treck IP stack used in Cisco gear, and, if exploited, allow complete takeover of a vulnerable device.

The under-attack bug is CVE-2020-3452, a path-traversal flaw in Switchzilla's Adaptive Security Appliance and Firepower Threat Defense software that can be used to "Read sensitive files on a targeted system." While there was no publicly available exploit code for the high-severity bug when first publicized, a day after issuing its advisory, Cisco said the flaw was being targeted in the wild. The vulnerabilities lie within the Treck IP stack used in Cisco gear, and, if exploited, allow complete takeover of a vulnerable device.

Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.

A high-severity vulnerability in Cisco's network security software could lay bare sensitive data - such as WebVPN configurations and web cookies - to remote, unauthenticated attackers. The flaw exists in the web services interface of Cisco's Firepower Threat Defense software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance software, the operating system for its family of ASA corporate network security devices.

Privacy commissioners worldwide urged video conferencing systems like Microsoft, Cisco and Zoom to adopt end-to-end encryption, two-factor authentication and other security measures. Global privacy commissioners issued a joint public decry against leading video conferencing companies such as Cisco Systems, Microsoft and Zoom to demand the companies beef up their security and privacy strategies.

Critical flaw gives attackers control of vulnerable SAP business applicationsSAP has issued patches to fix a critical vulnerability that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker. Investigation highlights the dangers of using counterfeit Cisco switchesAn investigation, which concluded that counterfeit network switches were designed to bypass processes that authenticate system components, illustrates the security challenges posed by counterfeit hardware.

Cisco has fixed 33 CVE-numbered flaws in a variety of its devices, including five critical ones affecting RV-series VPN routers and firewalls and Cisco Prime License Manager, which is used by enterprises to manage user-based licensing. Cisco Small Business RV110W Wireless-N VPN Firewalls with firmware releases prior to v1.2.2.8 can be taken over by attackers via a system account has a default and static password.

Cisco on Wednesday released security advisories to inform customers of several critical vulnerabilities that can be exploited remotely to hack small business routers and firewalls that are no longer being sold. One of the critical flaws, which is tracked as CVE-2020-3330 and has a CVSS score of 9.8, affects Cisco Small Business RV110W Wireless-N VPN firewalls and it allows a remote and unauthenticated attacker to take full control of a device by connecting to it using a default and static password.

Cisco has emitted 33 security bug fixes in its latest crop of software updates, five of those deemed critical. Affected devices include multiple RV-series routers, the RV110W series VPN Firewall, and the Cisco Prime License Manager.

Cisco has launched an investigation after researchers at F-Secure analyzed two counterfeit Cisco switches that appeared to exploit a previously unknown vulnerability. F-Secure's analysis of the fake Cisco switches focused on the security implications of using such fake devices, particularly if the manufacturer attempted to plant any backdoors.