Cisco has issued software updates to patch several critical and high-severity vulnerabilities in its Data Center Network Manager.
The vulnerabilities, which were reported by security researcher, Steven Seeley, are caused by static encryption keys and credentials and affect the REST API endpoint, the SOAP API endpoint, and the web-based management interface.
Although Cisco is not aware of any active exploits of these vulnerabilities, if exploited, the most serious vulnerabilities could allow an attacker to remotely bypass authentication and execute arbitrary actions with admin privileges on affected devices.
Additionally, Eduard Kovacs at Security Week reports:
“Two of the high-severity flaws, described as SQL injection bugs, require administrative privileges and they allow an attacker to execute arbitrary SQL commands on a device.
Three of the high-severity weaknesses allow an attacker who has admin privileges to conduct path traversals, and two other high-severity flaws allow an attacker with admin rights to inject arbitrary commands on the underlying operating system.”
Cisco published several advisories for a dozen vulnerabilities, click here to see the full list.