Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Users Informed of Vulnerabilities in Identity Services Engine

Cisco has informed customers about two vulnerabilities found by a researcher in its Identity Services Engine product, including a high-severity issue.

Cisco has informed customers about two vulnerabilities found by a researcher in its Identity Services Engine product, including a high-severity issue.

Davide Virruso of Yoroi discovered that the web-based management interface of Identity Services Engine is affected by an unauthorized file access flaw that can allow a remote, authenticated attacker to read and delete files on impacted devices. The issue is tracked as CVE-2022-20822.

“An attacker could exploit this vulnerability by sending a crafted HTTP request that contains certain character sequences to an affected system. A successful exploit could allow the attacker to read or delete specific files on the device that their configured administrative level should not have access to,” Cisco explained.

Cisco is working on software updates that should address the security hole — updates are expected to become available in November 2022 and January 2023 — but it has informed customers that hot patches may be available on request.

Virruso also identified a cross-site scripting (XSS) vulnerability in the External RESTful Services (ERS) API of Identity Services Engine. The flaw can be exploited to execute arbitrary script code by getting an authenticated user to click on a specially crafted link.

This flaw has been patched in one version and hot fixes may be available on request for other versions.

Cisco noted in the advisories covering these vulnerabilities that it’s not aware of malicious attacks, but said proof-of-concept (PoC) exploit code will be made available after software fixes are released.

“Public reports of the vulnerability, including a description and classification without specific technical details, will become available after publication of this advisory,” Cisco said.

However, Virruso told SecurityWeek that no additional information is being shared at this time.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday told organizations to review Cisco’s advisories and take action if necessary.

Related: Malicious Emails Can Crash Cisco Email Security Appliances

Related: Cisco Patches 11 High-Severity Vulnerabilities in Security Products

Related: Cisco Patches High-Severity Vulnerability in Security Solutions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.