Home

Description

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.

PUBLISHED Reserved 2017-11-27 | Published 2018-03-08 | Updated 2026-01-12 | Assigner cisco

CISA Known Exploited Vulnerability

Date added 2022-03-25 | Due date 2022-04-15

Apply updates per vendor instructions.

Problem types

CWE-20

References

www.securitytracker.com/id/1040463 (1040463) vdb-entry

www.securityfocus.com/bid/103328 (103328) vdb-entry

tools.cisco.com/...coSecurityAdvisory/cisco-sa-20180307-acs2

www.cisa.gov/...nerabilities-catalog?field_cve=CVE-2018-0147 government-resource

www.securitytracker.com/id/1040463 (1040463) vdb-entry

www.securityfocus.com/bid/103328 (103328) vdb-entry

tools.cisco.com/...coSecurityAdvisory/cisco-sa-20180307-acs2

cve.org (CVE-2018-0147)

nvd.nist.gov (CVE-2018-0147)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.