A vulnerability in the administrative web interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information or modify certain device settings.
The vulnerability is due to improper controls on certain pages in the web interface. An attacker with authenticated access to the administrative web interface could access pages that should be restricted to a more privileged access roll.
Cisco has confirmed the vulnerability and released software updates.
To exploit this vulnerability, an attacker must authenticate to the targeted device. This access requirement decreases the likelihood of a successful exploit.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.