A vulnerability in role-based access control in Cisco Secure Access Control Server (ACS) could allow an authenticated, remote malicious user to take actions with an elevated authorization level. The vulnerability is due to improper privilege validation. An attacker could exploit the vulnerability by sending crafted HTTP requests to the Cisco ACS. An exploit could allow the malicious user to perform Create, Read, Update, and Delete operations on any Network Identity Group with privileges that should be limited to the Network Device Administrator role. Cisco has confirmed the vulnerabilities in a security notice and has released software updates. To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the malicious user to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
cisco secure access control system - |
Vulmon