One-click exploit possible with Cisco ISE bugs

SecurityWeek reports that Cisco's Identity Services Engine is being impacted by four security flaws, which could enable arbitrary command injection, security protection evasion, and cross-site scripting attacks. Threat actors could leverage the most severe vulnerability, tracked as CVE-2022-20964, to facilitate arbitrary command execution, according to Cisco. Moreover, Yoroi security researcher Davide Virruso said that the flaw could be chained with an already patched XSS vulnerability in ISE, tracked as CVE-2022-20959, to secure a remote root shells on vulnerable systems. "It only takes one click of the victim on the link to get a shell as the system root user," said Virruso. Attackers could also use the web-based management interface access bypass flaw, tracked CVE-2022-20965, to expand chained exploits' attack surface and trigger information disclosure. Meanwhile, both CVE-2022-20966 and CVE-2022-20967 could be abused to enable XSS attacks. Cisco intends to issue fixes for the flaws in the first quarter of 2023 but hot fixes could already be secured by customers.