An authenticated user’s iControl REST token may remain valid for a limited time after logging out from the Configuration utility. (CVE-2022-35728)
Impact
A remote unauthenticated attacker may be able to reuse, for a limited time, an authenticated user’s iControl REST token generated from the Configuration utility and access through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.