Cisco Identity Services Engine Information Disclosure Vulnerability

A vulnerability in the web framework of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access information on a targeted device that is normally available only to authenticated users.

The vulnerability is due to improper implementation of session handlers set on an affected device. An attacker could exploit this vulnerability by accessing the affected web pages on a targeted device. A successful exploit could allow the attacker to gain access to sensitive information, such as reports generated by the MnT component, which could be leveraged to conduct further attacks.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker may need access to trusted, internal networks to gain access to the affected web pages on a targeted device. This access requirement may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.