Cybersecurity specialists reported the finding of some critical vulnerabilities in Application Service Engine, a platform designed to host multiple operations applications developed by the prestigious technology firm Cisco. According to the report, successful exploitation of these flaws would allow the compromise of vulnerable systems by sending malicious packages.

Below are brief descriptions of reported flaws in addition to their respective identification keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-1393: This flaw exists due to insufficient access controls for a service running on the data network. Unauthenticated remote threat actors can send specially designed network packets to the affected system and gain unauthorized access, allowing containers to run or invoke host-level operations.

The flaw received a score of 8.5/10 and its successful exploitation would allow the total commitment of the vulnerable system.

CVE-2021-1396: Incorrect access restrictions for certain API endpoints running on the data network, which would allow unauthenticated threat actors to gain unauthorized access to the compromised system.

The flaw received a score of 5.7/10 and its successful exploitation would allow malicious hackers to obtain information specific to the affected device, create support files on an isolated volume, and make limited configuration changes.

Both flaws reside in the following Cisco Application Services Engine versions: 1.1.3, 1.1.3a, 1.1.3b, 1.1.3c, and 1.1.3d.

While flaws can be exploited by unauthenticated remote threat actors by sending malicious packets, cybersecurity experts have not detected attempts at active exploitation or the existence of a malware variant associated with the attack. Updates are now available, so affected deployment administrators are encouraged to update as soon as possible.

To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.