Cisco has released a public proof-of-concept exploit code to solve a vulnerability in the Enterprise NFV Infrastructure Software.
The vulnerability, tracked as CVE-2021-34746, was found in the TACACS+ authentication, authorization, and accounting of Cisco Enterprise NFV Infrastructure Software, and allows unauthenticated attacks to log into unpatched devices as administrators.
The bug is caused by incomplete validation of user-supplied input passed to an authentication script during the login process.
Cisco notes that there are no workarounds available to remove the vulnerability vector discovered by the security flaw. The vulnerability, however, was fixed in Cisco Enterprise NFVIS 4.6.1 and later versions. Additionally, the company’s Product Security Incident Response Team points out that while the proof-of-concept is available, there is no visible evidence that the vulnerability has been exploited in the wild.
For more information, read the original story in Bleeping Computer.