CyberSec.Space Logo
Back to CVE Browser

CVE-2018-0147

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score81.8850%
EPSS Percentile95.05th
PublishedMar 8, 2018
Last ModifiedJan 14, 2026

Vulnerability Description

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.

Affected Platforms (CPE)

πŸ“¦
Cisco

Secure Access Control System

= 5.2\(0.3\)

References & Advisories

πŸ”— http://www.securityfocus.com/bid/103328
πŸ”— http://www.securitytracker.com/id/1040463
πŸ”— https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2
πŸ”— http://www.securityfocus.com/bid/103328
πŸ”— http://www.securitytracker.com/id/1040463
πŸ”— https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2
πŸ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0147

Related Vulnerabilities

CVE-2014-064810.0

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authoriz...

CVE-2014-065010.0

The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary ...

CVE-2010-530810.0

GE Healthcare Optima MR360 does not require authentication for the HIPAA emergency login procedure, which allows physically proxim...

CVE-2026-361110.0

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default co...