Cisco Secure Access Control System Password Modification Vulnerability

Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to modify user passwords.

The vulnerability is due to improper security restrictions on user password change functions in the web-based management interface of the Cisco Secure ACS application. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to the system. If successful, the attacker could modify user account passwords.

Cisco has confirmed this vulnerability in a security advisory and released updated software.

To exploit this vulnerability, an attacker must be able to send malicious requests to the targeted system. Attackers may require access to internal networks to accomplish an exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.