Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Cisco Patches Flaws in Email Security, Other Products

Cisco has patched several high severity vulnerabilities, including ones that allow privilege escalation and denial-of-service (DoS) attacks, in its Unified Customer Voice Portal (CVP), Email Security, and NX-OS products.

Cisco has patched several high severity vulnerabilities, including ones that allow privilege escalation and denial-of-service (DoS) attacks, in its Unified Customer Voice Portal (CVP), Email Security, and NX-OS products.

Software updates released by the company for its Email Security product address a privilege escalation vulnerability (CVE-2018-0095) that allows a local attacker with guest user permissions to gain root access.

The flaw affects the administrative shell of the Email Security Appliance (ESA) and the Content Security Management Appliance (SMA), and it’s caused by an incorrect networking configuration.

“An attacker could exploit this vulnerability by authenticating to the targeted device and issuing a set of crafted, malicious commands at the administrative shell. An exploit could allow the attacker to gain root access on the device,” Cisco said.

A different high severity vulnerability (CVE-2018-0086) was patched by Cisco in its CVP product. The security hole allows a remote, unauthenticated attacker to cause a DoS condition on the device by sending specially crafted SIP invite traffic to the targeted appliance.

A high severity DoS bug (CVE-2018-0102) has also been patched in the NX-OS network operating system. An unauthenticated attacker with access to the network can leverage the flaw to cause vulnerable devices to reload.

“An attacker could exploit this vulnerability by sending a pong request to an affected device from a location on the network that causes the pong reply packet to egress both a FabricPath port and a non-FabricPath port. An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload,” Cisco said in its advisory.

Cisco has also informed customers of two other vulnerabilities affecting NX-OS, including a DoS and a user account deletion issue, but these have been classified as medium severity and they have yet to be patched.

All of these vulnerabilities have been discovered by Cisco itself and there is no evidence of exploitation for malicious purposes.

Cisco released more than 20 advisories on Wednesday, but a majority describe medium severity flaws for which the company has yet to release any patches.

Related: Critical IOS Flaws Expose Cisco Devices to Remote Attacks

Related: Cisco Patches Critical WebEx Vulnerabilities

Related: Cisco Patches Serious Flaws in ISE, VDS TV Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet