Cisco Integrated Management Controller Vulnerability Could Allow Unauthorized Access to Administrative User Accounts
CVE-2020-26062

5.3MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Unified Computing System (managed)
Vendor
CVE Published:
18 November 2024

Summary

A vulnerability exists in Cisco Integrated Management Controller that could enable an unauthenticated, remote attacker to enumerate valid usernames in the application. This issue arises from variations in the authentication responses that the application generates during login attempts. By exploiting this vulnerability, an attacker could send crafted authentication requests, identifying valid administrative usernames. This information could lead to follow-up attacks targeting those accounts. Mitigation options are limited as there are no effective workarounds to address this vulnerability.

Affected Version(s)

Cisco Unified Computing System (Managed) 4.0(1a)

Cisco Unified Computing System (Managed) 3.2(3n)

Cisco Unified Computing System (Managed) 4.1(1a)

References

https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.