cbcvebase.
CVE-2018-0130
published 2018-02-22

CVE-2018-0130: A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.00%
78.3th percentile
A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system. The vulnerability is due to the presence of static default credentials for the web-based service portal of the affected software. An attacker could exploit this vulnerability by extracting the credentials from an image of the affected software and using those credentials to generate a valid administrative session token for the web-based service portal of any other installation of the affected software. A successful exploit could allow the attacker to gain administrative access to the web-based service portal of an affected system. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg30884.

Affected

2 ranges
VendorProductVersion rangeFixed in
ciscoelastic_services_controller_service_portal_unauthorized_access
ciscovirtual_managed_services

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability involves static default credentials embedded in the Cisco Elastic Services Controller software image used to sign/generate JSON web tokens (JWTs) for the web-based service portal. Detect unauthorized administrative sessions by monitoring for JWT tokens generated with static/default signing credentials on the ESC service portal.
  • Scope detection to Cisco Elastic Services Controller Software Release 3.0.0 specifically, as this is the only confirmed affected version.
  • ·No workarounds are available for this vulnerability; only the vendor-released software update remediates it. Detection must rely on monitoring for exploitation rather than configuration mitigation.
  • ·The static credentials are embedded within the software image itself, meaning any installation of ESC 3.0.0 shares the same default JWT signing secret, making cross-instance token forgery trivially possible for any attacker who has access to the image.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.