Arthur Vidineyev

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Manager versions prior to 20.18 **Description** A flaw in the Data Collection Agent (DCA) feature allows an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This issue is caused by the presence of a credential file for the DCA user. An attacker can exploit this by sending a crafted HTTP request to read the file containing the DCA password, potentially allowing access to other affected systems and privilege escalation. **Recommendations** Update to version 20.18 or later.

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Manager (affected versions not specified) **Description** Insufficient file system access restrictions could allow an unauthenticated, remote attacker to view sensitive information on the underlying operating system. Exploitation can occur by accessing the system API or the `vshell` (for attackers with netadmin privileges). This issue may lead to unauthorized system access, privilege escalation to root, exfiltration of sensitive data, and the silent overwriting of critical files. There are reports of this issue being actively exploited in real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Manager versions prior to 20.18 **Description** A flaw exists in the API user authentication of Cisco Catalyst SD-WAN Manager that could allow an unauthenticated, remote attacker to gain access to an affected system with `netadmin` privileges. The issue is due to improper authentication for requests sent to the API. An attacker could exploit this by sending a crafted request to the API, potentially allowing them to execute commands with `netadmin` privileges. The API endpoint is vulnerable to authentication bypass. The `netadmin` role provides elevated access, potentially leading to full control over the affected system. **Recommendations** Upgrade to Cisco Catalyst SD-WAN Manager version 20.18 or later.

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Manager (affected versions not specified) **Description** A flaw exists in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system. This is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this by sending a request to the REST API. A successful exploit could allow the attacker to gain root privileges on the underlying operating system. The vulnerable component is the REST API. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Catalyst SD-WAN Manager (affected versions not specified) **Description** An issue in the API of Cisco Catalyst SD-WAN Manager, specifically within the Data Collection Agent (DCA) service, results from improper file handling and the incorrect use of privileged application programming interfaces (APIs). An authenticated remote attacker with valid read-only credentials and API access can exploit this by uploading a malicious file to the local file system. This allows the attacker to overwrite arbitrary files, potentially leading to the acquisition of vmanage user privileges and unauthorized access to protected information. This issue has been actively exploited in real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** The issue is related to unlimited file upload of dangerous types. An attacker with valid Administrator credentials could exploit this by uploading a crafted file to the device, potentially allowing them to store malicious files in specific directories and later execute arbitrary code on the device with root privileges. The exploitation requires improper validation of files uploaded to the web-based management interface. **Recommendations** For all affected versions, ensure that only authorized and validated files are uploaded to the device. As a temporary workaround, consider restricting access to the file upload feature in the web-based management interface until a patch is available. Restrict access to specific directories where malicious files could be stored to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco ISE (affected versions not specified) **Description** The issue is related to improper validation of files uploaded to the web-based management interface, allowing an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this, an attacker must have valid Administrator credentials on the affected device. A successful exploit could allow the attacker to store malicious files in specific directories on the device, potentially leading to additional attacks, including executing arbitrary code on the affected device with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE). These vulnerabilities could allow an authenticated, remote attacker to read arbitrary files or conduct a server-side request forgery (SSRF) attack through an affected device. To exploit these vulnerabilities, an attacker must have valid Administrator credentials on the affected device. Additionally, there is an issue with incorrect restriction of XML links to external objects, which could allow a remote attacker to gain unauthorized access to protected information by uploading a specially crafted XML file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** The issue is related to deficiencies in directory path checking, allowing an attacker to perform path traversal attacks on the underlying operating system. This could enable an attacker to either elevate privileges to root or read arbitrary files. To exploit this, an attacker must have valid Administrator credentials on the affected device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Identity Services Engine (ISE) (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the Cisco Identity Services Engine (ISE) that could allow an authenticated attacker to delete or read arbitrary files on the underlying operating system. To exploit these vulnerabilities, an attacker must have valid credentials on an affected device. The vulnerabilities are associated with the implementation of client-side security features in the web interface of the Cisco Identity Services Engine (ISE) platform. An attacker could exploit the vulnerability by sending a specially crafted HTTP request to read arbitrary files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Network Services Orchestrator (NSO) (affected versions not specified) **Description** A vulnerability in the NETCONF service could allow an authenticated, remote attacker to cause a denial of service (DoS) on an affected system running as the root user. The attacker must be a member of the admin group to exploit this vulnerability. This issue exists because user-supplied input is not properly validated when NETCONF is used to upload packages to an affected device. An attacker could exploit this by uploading a specially crafted package file, allowing them to write crafted files to arbitrary locations on the filesystem or delete arbitrary files, resulting in a DoS condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco ISE (affected versions not specified) **Description** A vulnerability in the ERS API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This vulnerability is due to improper privilege management in the ERS API. An attacker could exploit this vulnerability by sending a crafted request to an affected device. A successful exploit could allow the attacker to elevate their privileges beyond the sphere of their intended access level, which would allow them to obtain sensitive information from the underlying operating system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the ERS API until a patch is available. To verify the status of the ERS API in the Admin GUI, choose Administration > Settings > API Settings > API Service Settings.

**Name of the Vulnerable Software and Affected Versions** Cisco StarOS (affected versions not specified) **Description** A vulnerability in the CLI of Cisco StarOS could allow an authenticated, local attacker to elevate privileges on an affected device. This issue is due to insufficient input validation of CLI commands. An attacker could exploit this vulnerability by sending crafted commands to the CLI, potentially allowing the execution of arbitrary code with the privileges of the root user. To exploit this vulnerability, an attacker would need to have valid administrative credentials on an affected device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) (affected versions not specified) **Description** A vulnerability in the API endpoint of the affected systems could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device. The vulnerability was discovered by Cisco during internal security testing, and there are no public reports of exploitation at this time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) (affected versions not specified) Description: A vulnerability in an API endpoint could allow an authenticated, remote attacker with Administrator read-only credentials to elevate privileges on an affected system due to insufficient role-based access control (RBAC). The attacker could exploit this by sending a specific API request using an app with admin write credentials, potentially allowing them to elevate privileges to Administrator with write privileges. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the web UI and API endpoints of the affected system. A remote attacker could exploit these vulnerabilities to perform a command injection or file upload attack. The vulnerability exists due to the lack of neutralization of special elements used in the operating system command. This could allow a remote attacker to execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the web UI and API endpoints of the affected system, which could allow a remote attacker to perform a command injection or file upload attack. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cisco ACI Multi-Site Orchestrator (MSO) (affected versions not specified) Description: A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The issue is due to improper token validation on a specific API endpoint. An attacker could exploit this by sending a crafted request to the affected API, potentially receiving a token with administrator-level privileges to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SD-WAN products (affected versions not specified) Cisco IOS XE SD-WAN (affected versions not specified) Cisco SD-WAN vBond Orchestrator (affected versions not specified) Cisco SD-WAN vEdge Cloud Routers (affected versions not specified) Cisco SD-WAN vEdge Routers (affected versions not specified) Cisco SD-WAN vSmart Controller (affected versions not specified) Cisco SD-WAN vManage (affected versions not specified) **Description** Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. The vulnerability is related to a buffer overflow in the UDP protocol implementation. **Recommendations** For Cisco SD-WAN products, update to a version that includes the software updates released by Cisco to address these vulnerabilities. For Cisco IOS XE SD-WAN, update to a version that includes the software updates released by Cisco to address these vulnerabilities. For Cisco SD-WAN vBond Orchestrator, update to a version that includes the software updates released by Cisco to address these vulnerabilities. For Cisco SD-WAN vEdge Cloud Routers, update to a version that includes the software updates released by Cisco to address these vulnerabilities. For Cisco SD-WAN vEdge Routers, update to a version that includes the software updates released by Cisco to address these vulnerabilities. For Cisco SD-WAN vSmart Controller, update to a version that includes the software updates released by Cisco to address these vulnerabilities. For Cisco SD-WAN vManage, update to a version that includes the software updates released by Cisco to address these vulnerabilities.