Multiple Cisco products affected by critical vulnerabilities; patch now

Cisco security team have announced the launching of several updates to patch multiple vulnerabilities found in some of its most popular solutions, including SD-WAN, DNA Center and Smart Software Manager Satellite (SSMS) products. This update includes a patch to correct a critical flaw according to the Common Vulnerability Scoring System (CVSS).

The referred vulnerability was tracked as CVE-2021-1299 and resides in the SD-WAN vManage web management interface. Successful exploitation would allow non-authenticated malicious hackers to run arbitrary commands with root privileges; the flaw got a 9.9/10 CVSS score. Cisco addressed another five command injection flaws in SD-WAN vBond Orchestrator, SD-WAN vSmart Controller Software and SD-WAN vManage. Two of these flaws are considered as highly severe, while the last three received low severity CVSS scores.

The company also pointed out the fixing of two buffer overflow vulnerabilities affecting SD-WAN, one of which got a 9.8/10 CVSS score as its successful exploitation would have allowed threat actors to run arbitray code with root privileges on affected systems. These security issues resided in IOS XE SD-WAN, SD-WAN vBond Orchestrator, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage, and SD-WAN vSmart Controller software

The list of updates does not end there. Cisco patched thre critical vulnerabilities affecting the Smart Software Manager Satellite web interface with a 9.8/10 CVSS score. Tracked as CVE-2021-1138, CVE-2021-1140 and CVE-2021-1142, these flaws could have been exploited by non-authenticated malicious hackers to perform an arbitrary command execution attack.

Last but not least, the patches include solutions for two medium-severity vulnerabilities in Cisco Smart Software Manager On-Prem. Tracked as CVE-2021-1139 and CVE-2021-1141, these flaws allowed hackers to perform remote command execution targeting 6.3.0and earlier releases.

Cisco highlights that, so far, there are no known active exploitation cases related to these reports. Nonetheless, researchers may keep investigating any potentially linked incident.

For further reports on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.