Cisco Secure Access Control System Unprivileged Support Bundle Download Vulnerability

A vulnerability in the role-based access control code of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to access support bundle information.
The vulnerability is due to a failure to check the user privileges correctly when downloading the support bundle. An attacker could exploit this vulnerability by downloading the support bundle without the appropriate user privileges. An exploit could allow the unprivileged attacker to download the support bundle and access sensitive information such as the user database.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, an attacker must authenticate to the affected device. The access requirement decreases the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.