Cisco Addresses Multiple Pre-Authentication Vulnerabilities in Cisco Security Manager (CVE-2020-27125, CVE-2020-27130, CVE-2020-27131)

On November 16, Cisco published three security advisories to address multiple vulnerabilities in Cisco Security Manager. Cisco Security Manager is a management solution that’s used to manage a variety of Cisco devices, from Cisco Adaptive Security Appliances to Cisco Switches, Routers and Firewall Services Modules.

The vulnerabilities were disclosed by Florian Hauser, a security researcher at Code White. Hauser initially disclosed the vulnerabilities to Cisco in July 2020. After Cisco released Cisco Security Manager 4.22, Hauser did not observe any notes regarding his disclosures. Hauser then published multiple proofs-of-concept (PoCs) for the vulnerabilities he discovered. After publishing his PoCs, Cisco released three advisories for the following vulnerabilities:

• CVE-2020-27125
• CVE-2020-27130
• CVE-2020-27131

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.