Cisco Enterprise NFV Infrastructure Software Path Traversal Vulnerability
Description
A vulnerability in the directory permissions of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to perform a directory traversal attack on a limited set of restricted directories. The vulnerability is due to a flaw in the logic that governs directory permissions. An attacker could exploit this vulnerability by using capabilities that are not controlled by the role-based access control (RBAC) mechanisms of the software. A successful exploit could allow the attacker to overwrite files on an affected device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco NFVIS 3.5.1–4.1.2 contains a directory traversal flaw allowing authenticated remote attackers to overwrite files via uncontrolled RBAC permissions.
Vulnerability
Cisco Enterprise NFV Infrastructure Software (NFVIS) versions 3.5.1 through 4.1.2 contain a directory permissions vulnerability in the software's directory permission logic [1]. The flaw allows an authenticated remote attacker to perform a directory traversal attack on a limited set of restricted directories due to a misconfiguration in the role-based access control (RBAC) mechanisms that do not properly restrict certain capabilities [1].
Exploitation
An attacker must have authenticated access to the NFVIS device with valid credentials [1]. The exploitation leverages capabilities that are not correctly governed by RBAC, enabling traversal across permitted directory boundaries [1]. No user interaction beyond authentication is required, and the attack can be carried out remotely over the network [1].
Impact
Successful exploitation allows an attacker to overwrite files on the affected device [1]. This could lead to denial of service, configuration changes, or potentially further compromise depending on the files overwritten, though the traversal is limited to specific restricted directories [1].
Mitigation
Cisco has released software updates that address this vulnerability [1]. There are no workarounds available [1]. Users should upgrade to a fixed NFVIS version as indicated in the Cisco Security Advisory [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cisco/Cisco Enterprise NFV Infrastructure Softwarev5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-path-emy79OC2mitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.