Cisco IOS XE Routers Exposed To Rare 10/10-Severity Security Flaw

It has been reported that Cisco is urging customers to install updates for a critical bug affecting its popular IOS XE operating system that powers millions of enterprise network devices around the world. The bug has a rare Common Vulnerability Scoring System (CVSS) version 3 rating of 10 out of a possible 10 and allows anyone on the internet to bypass the login for an IOS XE device without the correct password.

Experts Comments

August 30, 2019
Scott Caveza
Research Engineer Manager
Tenable
The critical authentication bypass flaw in Cisco IOS XE could be exploited by an unauthenticated, remote attacker sending specially crafted HTTP requests to a vulnerable device, resulting in the exposure of an authenticated users' token-id. While the flaw is critical, it's important to note there are a number of requirements for successful exploitation, including the device has both installed and enabled an affected version of the Cisco REST API virtual service container. In addition, a user.....Read More
The critical authentication bypass flaw in Cisco IOS XE could be exploited by an unauthenticated, remote attacker sending specially crafted HTTP requests to a vulnerable device, resulting in the exposure of an authenticated users' token-id. While the flaw is critical, it's important to note there are a number of requirements for successful exploitation, including the device has both installed and enabled an affected version of the Cisco REST API virtual service container. In addition, a user must be logged into the device in order to obtain the token-id. Cisco has released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container, as well as implemented additional safeguards in updated IOS XE versions.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.