CVE-2018-0147
Cisco Secure Access Control System Java Deserialization Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.
Una vulnerabilidad en la deserialización de Java utilizada por Cisco Secure Access Control System (ACS) en versiones anteriores a la 5.8, parche 9, podría permitir que un atacante remoto no autenticado ejecute comandos arbitrarios en un dispositivo afectado. La vulnerabilidad se debe a la deserialización no segura por parte del software afectado de contenidos proporcionados por el usuario. Un atacante podría explotar esta vulnerabilidad enviando un objeto Java serializado manipulado. Su explotación podría permitir que el atacante ejecute comandos arbitrarios en el dispositivo con privilegios root. Cisco Bug IDs: CSCvh25988.
A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-11-27 CVE Reserved
- 2018-03-08 CVE Published
- 2022-03-25 Exploited in Wild
- 2022-04-15 KEV Due Date
- 2024-01-16 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/103328 | Third Party Advisory | |
http://www.securitytracker.com/id/1040463 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2 | 2020-09-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Cisco Search vendor "Cisco" | Secure Access Control System Search vendor "Cisco" for product "Secure Access Control System" | 5.2\(0.3\) Search vendor "Cisco" for product "Secure Access Control System" and version "5.2\(0.3\)" | - |
Affected
|