IT security services specialists report finding two vulnerabilities in Connected Mobile Experiences, an intelligent WiFi solution that uses Cisco‘s wireless infrastructure to provide location services and location analysis for consumers’ mobile devices. Exploiting these flaws would allow threat actors to bypass security controls on the system.

Below is a brief overview of the reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-315: The vulnerability exists due to insufficient security mechanisms in the restricted shell implementation in the CLI, which could be exploited by local threat actors to send specially crafted commands and bypass the authentication process, gaining unauthorized access. 

The fault received a score of 4.7/10, IT security services specialists mentioned.

CVE-2020-3152: This flaw exists because the application does not impose security restrictions properly. Local administrators can send specially designed commands to the CLI for privilege escalation and arbitrary commands on the underlying operating system.  This vulnerability received a score of 6.1/10.

The flaws reside in the following Cisco Connected Mobile Experiences releases: 10.6.0, 10.6.1, 10.6.2.

Exploiting these flaws requires local access, which reduces the risk of exploitation considerably. However, IT security services experts consider the absence of security patches to affect users.