Cisco Enterprise NFV Infrastructure Software Password Recovery Vulnerability
Description
A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to view a password in clear text. The vulnerability is due to incorrectly logging the admin password when a user is forced to modify the default password when logging in to the web portal for the first time. Subsequent password changes are not logged and other accounts are not affected. An attacker could exploit this vulnerability by viewing the admin clear text password and using it to access the affected system. The attacker would need a valid user account to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco NFVIS logs the admin password in clear text when the default password is changed, allowing an authenticated attacker to recover it.
Vulnerability
In Cisco Enterprise NFV Infrastructure Software (NFVIS), the web portal incorrectly logs the admin password in clear text when a user is forced to change the default password on first login. This flaw affects NFVIS releases earlier than version 3.9.1 [1]. Subsequent password changes are not logged, and other accounts are not affected by this vulnerability.
Exploitation
An attacker must have a valid user account on the affected NFVIS system [1]. By accessing the system logs where the clear text password is recorded during the mandatory initial password change, the attacker can view the admin password. No additional authentication or user interaction beyond the initial login is required.
Impact
Successful exploitation allows the attacker to obtain the admin password in clear text [1]. With this password, the attacker can authenticate as the admin user and gain full administrative access to the affected system, leading to complete compromise of the NFVIS deployment.
Mitigation
Cisco has released software updates to address this vulnerability [1]. Fixed software is available in Cisco NFVIS Release 3.9.1 and later [1]. There are no workarounds that address this vulnerability [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cisco/Cisco Enterprise NFV Infrastructure Softwarev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-pwrecovmitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.