Cisco Enterprise NFV Infrastructure Software Authentication Bypass Vulnerability
Description
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in Cisco NFVIS TACACS+ AAA allows unauthenticated remote attackers to bypass authentication and gain admin access via parameter injection.
Vulnerability
The TACACS+ authentication, authorization, and accounting (AAA) feature in Cisco Enterprise NFV Infrastructure Software (NFVIS) contains a vulnerability in the authentication script /usr/bin/ext_auth.sh. When TACACS is enabled, the script receives user-supplied input via standard input in a format [${USER};${PASS};${IP};${PORT};${CONTEXT};${PROTO};]. Insufficient input validation allows an attacker to inject additional parameters using characters such as ;, ], or null bytes. This affects NFVIS versions prior to the fixed releases described in Cisco Security Advisory [2]. The vulnerability is present when TACACS authentication is configured, regardless of whether a TACACS server is reachable [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted authentication request (e.g., via SSH, HTTPS, or NETCONF) containing injected characters in the username or password field. This injection can trigger the execution of /usr/bin/auth_hash.py with attacker-controlled parameters, as the script reads the $user and $pass variables directly from the input. The attacker does not need prior authentication or a valid TACACS server; only network access to a management interface is required. The injection allows the attacker to bypass the authentication check and gain access as an administrator [1].
Impact
Successful exploitation grants the attacker full administrative privileges on the affected Cisco NFVIS device. This compromises the confidentiality, integrity, and availability of the device and its managed services. The attacker can execute arbitrary commands, modify configurations, and potentially pivot to other systems [1][2].
Mitigation
Cisco has released software updates to address this vulnerability. Users should upgrade to a fixed version as specified in the Cisco Security Advisory [2]. If immediate upgrade is not possible, disabling TACACS authentication or restricting network access to management interfaces can reduce risk. There is no known inclusion of this CVE in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cisco/Cisco Enterprise NFV Infrastructure Softwarev5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVhmitrevendor-advisoryx_refsource_CISCO
- github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.