CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
29.4%
A vulnerability in the Cisco Integrated Management Controller of the Cisco Unified Computing System (UCS) C-Series Servers could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the affected device.
The vulnerability is due to improper validation of the SSL certificate used to manage the device. An attacker could exploit this vulnerability by using the default SSL certificate to intercept, decrypt, read, and write information.
Cisco has confirmed the vulnerability; however, software updates are not available.
A successful exploit of this vulnerability could allow the attacker to impact the confidentiality of information transmitted by the device by decrypting encrypted content and accessing sensitive information, which could be used to conduct further attacks.
The attacker may need access to trusted, internal networks to use the default SSL certificate used to manage the device, making exploitation more difficult in environments that restrict access to untrusted sources.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | unified_computing_system | any | cpe:2.3:h:cisco:unified_computing_system:any:*:*:*:*:*:*:* |
cisco | unified_computing_system_software | any | cpe:2.3:a:cisco:unified_computing_system_software:any:*:*:*:*:*:*:* |