Connect with us

Hi, what are you looking for?



Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products

Cisco this week announced the release of patches for multiple vulnerabilities across its product portfolio, including high-severity defects in identity, email, and web security products.

Cisco this week announced the release of patches for multiple vulnerabilities across its product portfolio, including high-severity defects in identity, email, and web security products.

The most severe of these issues is CVE-2022-20961 (CVSS score of 8.8), a cross-site request forgery (CSRF) flaw in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to perform arbitrary actions on a vulnerable device.

The issue exists because the web-based management interface of impacted devices does not have sufficient CSRF protections and can be exploited if an attacker tricks a user into clicking on a crafted link.

Cisco ISE is also affected by CVE-2022-20956 (CVSS score of 7.1), an authorization bypass that exists because of improper access control in the web-based management interface, and which can be exploited using crafted HTTP requests.

“A successful exploit could allow the attacker to list, download, and delete certain files that they should not have access to,” Cisco explains.

ISE 3.1 and 3.2 users are advised to contact Cisco for hot patches that address this vulnerability. The tech giant warns that proof-of-concept (PoC) code exploiting this bug will be released once software fixes are made available.

Davide Virruoso of Yoroi, the researcher credited by Cisco for reporting CVE-2022-20956, was last month credited for a different high-severity flaw affecting ISE. Contacted at the time by SecurityWeek, Virruso suggested that no information will be made public any time soon.

Advertisement. Scroll to continue reading.

This week, Cisco also announced patches for CVE-2022-20867 and CVE-2022-20868, two security defects impacting Email Security Appliance (ESA), Secure Email and Web Manager, and Secure Web Appliance.

The bugs, which are not dependent on one another, could allow an authenticated, remote attacker to launch SQL injection attacks with root privileges, or elevate their privileges on a vulnerable system, Cisco explains.

Cisco AsyncOS releases 14.2.1 and 14.3.0 contain patches for ESA and Secure Email and Web Manager. Patches for Secure Web Appliance were included in AsyncOS release 12.5.5 and are planned for AsyncOS releases 14.0.4 and 14.5.1.

Two other high-severity issues that Cisco addressed this week impact the web-based management interface of BroadWorks CommPilot and could lead to arbitrary code execution or sensitive data leaks.

Tracked as CVE-2022-20951 and CVE-2022-20958, the two issues exist because user-supplied input is not sufficiently validated. An attacker could exploit them by sending crafted HTTP requests.

Cisco announced that it is investigating potential impact from two recently disclosed OpenSSL vulnerabilities (CVE-2022-3602 and CVE-2022-3786), but that none of its on-premises products are known to be affected.

Additionally, Cisco announced patches for several medium-severity vulnerabilities impacting Cisco Umbrella, ISE, AsyncOS for ESA, and ESA and Secure Email and Web Manager.

Further information on the resolved vulnerabilities can be found on Cisco’s product security page.

Related: Cisco Users Informed of Vulnerabilities in Identity Services Engine

Related: Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product

Related: L2 Network Security Control Bypass Flaws Impact Multiple Cisco Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.