The more severe bugs fixed on Wednesday exist in the company’s Identity Services Engine and its Videoscape Distribution Suite. The bypass, which exists in ISE, a network administration product, stems from the improper handling of authentication requests and policy assignment. If an attacker wanted to exploit the vulnerability they could authenticate with a valid external user account that matches an internal username and incorrectly receive the authorization policy of the internal account. If successful the exploit would grant the attacker Super Admin privileges for the engine’s admin portal, Cisco said.
Cisco Unified Communications 0-day RCE Vulnerability Exploited in the Wild to Gain Root Access
Cisco Warns of Hardcoded Credentials in Enterprise Software