A researcher discovered two vulnerabilities in Cisco’s Identity Services Engine product, the most severe of which was disclosed to Cisco’s customers.
Identity Services Engine’s web-based management interface has an unauthorized file access flaw, according to Davide Virruso of Yoroi, which enables a remote, authenticated attacker to read and delete files on impacted devices. The problem is catalogued under CVE-2022-20822. However, Cisco has warned customers that hot patches might be available upon request.
Cisco is working on software updates that should close the security hole; updates are anticipated to become available in November 2022 and January 2023.