Cisco Connected Grid Network Management System SQL Injection Vulnerabilities

A vulnerability in device management of the Cisco Connected Grid Network Management System (CG-NMS) could allow an unauthenticated, remote attacker to modify data in the CG-NMS database by using SQL injection.

The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including SQL statements in an entry field.

Cisco has confirmed the vulnerability in a security notice and software updates are available.

To exploit the vulnerability, an attacker would need access to trusted, internal networks to send the crafted queries to the targeted system. This access requirement may reduce the likelihood of a successful attack.

Customers are advised to review the bug reports in the vendor announcements section for a current list of affected versions.