Cisco Meraki HTTP Handler Local Information Disclosure Vulnerability

A vulnerability in an HTTP handler in Cisco Meraki firmware occurs because the handler does not require requests to come only from the Meraki cloud. This vulnerability could allow a LAN-based attacker to obtain sensitive credential information.

An unauthenticated, remote attacker on an adjacent network could exploit the vulnerability by sending malicious HTTP requests to the unsecured HTTP handler, allowing the attacker to access sensitive information from the affected application.

Cisco Meraki has confirmed the vulnerability and released software updates.

Attackers must have access to networks adjacent to the targeted system to conduct an exploit, reducing the potential for attacks.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.