Cisco Secure Access Control Server Privilege Escalation Vulnerability

A vulnerability in role-based access control in Cisco Secure Access Control Server (ACS) could allow an authenticated, remote attacker to take actions with an elevated authorization level.

The vulnerability is due to improper privilege validation. An attacker could exploit the vulnerability by sending crafted HTTP requests to the Cisco ACS. An exploit could allow the attacker to perform Create, Read, Update, and Delete operations on any Network Identity Group with privileges that should be limited to the Network Device Administrator role.

Cisco has confirmed the vulnerabilities in a security notice and has released software updates.

To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.