CVE-2018-0147
high-risk
Published 2018-03-08
A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.
Do I need to act?
~
4.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Secure Access Control System
Affected Vendors
References (7)
Third Party Advisory
http://www.securityfocus.com/bid/103328
Third Party Advisory
http://www.securitytracker.com/id/1040463
Third Party Advisory
http://www.securityfocus.com/bid/103328
Third Party Advisory
http://www.securitytracker.com/id/1040463
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-...
51
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
14/34 · Moderate
Exposure
5/34 · Minimal