Cisco has issued a fix for a critical flaw in its Virtual Wide Area Application Services (vWAAS), software for optimizing WAN on virtual private cloud infrastructure.

Cisco patched a critical flaw in its wide area network (WAN) software solution for enterprises, which if exploited could give remote, unauthenticated attackers administrator privileges.

The flaw exists in Cisco Virtual Wide Area Application Services (vWAAS), which is software that Cisco describes as a “WAN optimization solution.” It helps manage business applications that are being leveraged in virtual private cloud infrastructure. The flaw (CVE-2020-3446), which has a critical-severity CVSS score of 9.8 out of 10, exists because user accounts for accessing the software contain default passwords. That means an attacker could log in, via a default password, and thus potentially obtain administrator privileges.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” according to Cisco’s Wednesday advisory.

vWAAS is hosted in compute appliances called Cisco Enterprise Network Compute Series (ENCS). These appliances are also used to deploy the Cisco Enterprise NFV Infrastructure Software (NFVIS), a software platform that implements full lifecycle management from the central orchestrator and controller for virtualized services.

#vulnerabilities #web security #cisco #vulnerability #vwaas #security