Cisco has patched three Cisco Security Manager vulnerabilities, one rated Critical and two High severity, that could allow a remote attacker to exploit and obtain sensitive information.
The path traversal vulnerability CVE-2020-27130 affects Cisco Security Manager releases 4.21 and earlier. The issue could allow an unauthenticated, remote attacker to gain access to sensitive information.
“The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device,” Cisco stated in the security advisory.
Cisco added that an attacker could download arbitrary files from impacted network devices.
The Security Manager vulnerability sports a CVSS score of 9.1.
Moreover, Cisco also patched a High risk static credential vulnerability CVE-2020-27125 in Security Manager. The flaw stems from insufficient protection of static credentials in the software.
“A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks,” Cisco warned.
Finally, Cisco fixed a third Cisco Security Manager vulnerability CVE-2020-27131, related to Java deserialization issue.
To address all three vulnerabilities, users should upgrade to Cisco Security Manager Release 4.22.
Readers can check out the latest Cisco advisories as of November 17, 2020. System and Network administrators should deploy security updates to affected devices as soon as possible.