Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Cisco Patches High Severity Vulnerabilities in BPA, WSA

Cisco this week released patches for high-severity vulnerabilities in Business Process Automation (BPA) and Web Security Appliance (WSA) that expose users to privilege escalation attacks.

Cisco this week released patches for high-severity vulnerabilities in Business Process Automation (BPA) and Web Security Appliance (WSA) that expose users to privilege escalation attacks.

Two security holes were addressed in Business Process Automation (BPA), both featuring a CVSS score of 8.8. An authenticated, remote attacker able to exploit these could elevate their privileges to administrator, Cisco warned in an advisory.

The issues exist because authorization isn’t properly enforced for specific features and for access to log files containing sensitive information.

Tracked as CVE-2021-1574, the first vulnerability could be exploited by sending crafted HTTP messages to a vulnerable system, which would allow an attacker to perform unauthorized actions as administrator.

While a legitimate user maintains an active session on a vulnerable system, an attacker could exploit the second vulnerability – CVE-2021-1576 – to retrieve sensitive data from log files. The attacker could then use that data to impersonate a privileged user.

Cisco BPA versions earlier than release 3.1 are affected. There are no workarounds to mitigate these vulnerabilities and users are advised to update to a patched version as soon as possible.

Tracked as CVE-2021-1359, the vulnerability affecting AsyncOS for Web Security Appliance (WSA) could be exploited by an authenticated, remote attacker to inject commands and gain root privileges.

The issue has a CVSS score of 6.3, given that successful exploitation of the bug requires for the attacker to have valid credentials for a user account that has the rights to upload configuration files.

Both virtual and hardware AsyncOS for WSA appliances are affected and no workaround exists, Cisco says. Customers are advised to update to AsyncOS for WSA versions 12.0.3-005 or 12.5.2 (maintenance release set to arrive within the next few days), which include patches for the bug.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild.

This week, the company also published details on a series of medium risk vulnerabilities identified in SD-WAN, Virtualized Voice Browser, Identity Services Engine (ISE), Video Surveillance 7000 Series IP cameras, BroadWorks Application Server, and Adaptive Security Device Manager (ASDM) Launcher.

Additionally, the company confirmed that multiple Cisco products are affected by a security hole in the TrustZone implementation in certain Broadcom MediaxChange firmware. Exploitation of the bug requires physical access to the affected devices and for the attacker to dismount the backplate to trigger impulses on the chipset.

Information on all of these vulnerabilities is available on Cisco’s security portal.

Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild

Related: Cisco Plugs High-Risk Security Flaws in Webex, SD-WAN

Related: Cisco Patches Critical Flaws in SD-WAN, HyperFlex HX Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.