Netsweeper prior to 4.0.5 allows remote malicious users to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.
netsweeper netsweeper