Cisco Systems released a critical security bulletin for a vulnerability that allows remote unauthenticated users to gain complete control of its email security appliances. The vulnerability is tied to Cisco’s IronPort AsyncOS operating system.
isco first issued a security bulletin last week for the IronPort AsyncOS, but on Wednesday updated that alert with more information including a software update that addresses the security flaw. Cisco also indicated a workaround exists that can halt remote access to affected email appliances.
Cisco says the vulnerability (CVE-2016-6406) is tied to the presence of the company’s own internal testing and debugging interface; accessible on the IronPort AsyncOS operating system. “An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges,” Cisco explains.