Cisco HyperFlex Arbitrary Statistics Write Vulnerability
Description
A vulnerability in the Graphite interface of Cisco HyperFlex software could allow an authenticated, local attacker to write arbitrary data to the Graphite interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by connecting to the Graphite service and sending arbitrary data. A successful exploit could allow the attacker to write arbitrary data to Graphite, which could result in invalid statistics being presented in the interface. Versions prior to 3.5(2a) are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco HyperFlex Graphite interface allows authenticated local attackers to inject arbitrary statistics data, corrupting displayed metrics.
Vulnerability
The Graphite interface in Cisco HyperFlex software versions prior to 3.5(2a) is vulnerable to an arbitrary data write due to insufficient authorization controls. An authenticated, local attacker can connect to the Graphite service and send arbitrary data to it [1].
Exploitation
The attacker must have local access and valid authentication to the HyperFlex system. No user interaction is required beyond initiating the connection. The attacker can then send crafted data directly to the Graphite interface, bypassing proper authorization checks [1].
Impact
Successful exploitation allows the attacker to write arbitrary data to the Graphite interface. This results in invalid or falsified statistics being presented in the interface, potentially misleading administrators about system health and performance. The vulnerability does not lead to remote code execution or data exfiltration, but undermines the integrity of monitoring data [1].
Mitigation
Cisco has addressed this vulnerability in software release 3.5(2a) and later. No workarounds are available. Affected customers should upgrade to a fixed release. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.5(2a)
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-hyper-writemitrevendor-advisoryx_refsource_CISCO
- www.securityfocus.com/bid/107100mitrevdb-entryx_refsource_BID
News mentions
0No linked articles in our index yet.