CVE-2002-0241
Description
NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) 3.0.1 does not check the Expired or Disabled state of users in the Novell Directory Services (NDS), which could allow those users to authenticate to the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco Secure ACS 3.0.1 fails to check NDS user account status, allowing expired/disabled users to authenticate.
Vulnerability
NDSAuth.DLL in Cisco Secure Authentication Control Server (ACS) version 3.0.1 does not validate the Expired or Disabled state of users in the Novell Directory Services (NDS) during authentication [1]. This allows users whose accounts have been disabled or expired to successfully authenticate to the server, bypassing intended access controls.
Exploitation
An attacker who possesses valid NDS credentials for an account that has been disabled or expired can authenticate to the Cisco Secure ACS server without any additional privileges or network position beyond normal network access [1]. No user interaction or race condition is required; the attacker simply attempts to log in using the affected authentication path.
Impact
Successful exploitation grants the attacker unauthorized access to the Cisco Secure ACS server, potentially allowing them to gain network access or resources that should have been blocked due to account status [1]. The compromise is limited to the authentication bypass; the attacker does not gain elevated privileges beyond what the disabled/expired account originally had.
Mitigation
Cisco has published a security advisory and recommends upgrading to a fixed version of Cisco Secure ACS [1]. The advisory provides details on obtaining the patch. No workaround is documented in the available references. Users should apply the vendor-supplied fix as soon as possible.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:cisco:secure_access_control_server:3.0.1:*:windows_nt:*:*:*:*:*
- Range: = 3.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.cisco.com/warp/public/707/ciscosecure-acs-nds-authentication-vuln-pub.shtmlnvdPatchVendor Advisory
- www.iss.net/security_center/static/8106.phpnvdPatchVendor Advisory
- www.securityfocus.com/bid/4048nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.