Cisco Enterprise NFV Infrastructure Software Information Disclosure Vulnerability
Description
A vulnerability in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to read any file on an affected system. The vulnerability is due to insufficient authorization and parameter validation checks. An attacker could exploit this vulnerability by sending a malicious API request with the authentication credentials of a low-privileged user. A successful exploit could allow the attacker to read any file on the affected system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco NFVIS REST API path-traversal flaw grants any authenticated low-privilege attacker arbitrary file read on the appliance.
Vulnerability
A path-traversal vulnerability exists in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS). The bug is caused by insufficient authorization and parameter validation checks [1]. An authenticated, remote attacker can abuse this flaw to read arbitrary files on the underlying operating system. The affected software release is Cisco NFVIS; specific vulnerable versions are referenced in the Cisco bug ID listed in the advisory [1].
Exploitation
To exploit, an attacker requires valid credentials for any low-privileged user account on the NFVIS system [1]. The attacker then sends a specially crafted REST API call that traverses directories outside the intended scope, bypassing access controls due to the lack of proper input validation [1]. The adversary does not need write access, administrator privileges, or any user interaction beyond submitting the malicious HTTP request.
Impact
A successful exploit allows the attacker to read any file on the affected NFVIS system, irrespective of file permissions [1]. This can disclose sensitive configuration details, cryptographic material, credentials, and other proprietary information stored on the appliance. The confidentiality impact is complete; integrity and availability remain unaffected [1].
Mitigation
Cisco released fixed software versions for NFVIS as specified in the advisory [1]. Affected customers should upgrade to the latest recommended release. No workarounds exist for this vulnerability [1]. The CVE is not known to be listed on the CISA KEV as of the advisory date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cisco/Cisco Enterprise NFV Infrastructure Softwarev5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-infodismitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/105299mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.