A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote malicious user to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the malicious user to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
cisco secure access control system 5.2\\(0.3\\) |
Two critical vulnerabilities among 20 patches
Cisco's security developers have served up a parcel of patches. First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug. Cisco's notice for CVE-2018-0147 says an attacker could exploit the bug with a crafted Java object, and gain root privilege. The bug affects all units running software up to version 5.8 patch 9, and fortunately while no longer...