CVE-2016-1297

moderate-risk
Published 2016-02-26

The Device Manager GUI in Cisco Application Control Engine (ACE) 4710 A5 before A5(3.1) allows remote authenticated users to bypass intended RBAC restrictions and execute arbitrary CLI commands with admin privileges via an unspecified parameter in a POST request, aka Bug ID CSCul84801.

Do I need to act?

-
0.61% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (7)

Application Control Engine Software
Application Control Engine Software
Application Control Engine Software
Application Control Engine Software
Application Control Engine Software
Application Control Engine Software
Application Control Engine Software

Affected Vendors

Cisco

References (4)

Vendor Advisory http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20...
http://www.securitytracker.com/id/1035104
Vendor Advisory http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20...
http://www.securitytracker.com/id/1035104
46
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 2/34 · Minimal
Exposure 14/34 · Moderate