CVE-2021-34739
HIGHCisco Small Business Series Switches < 2.5 - Insufficient Session Expiration
Title source: llmDescription
A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gain unauthorized access to the web-based management interface of an affected device. This vulnerability is due to insufficient expiration of session credentials. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack against an affected device to intercept valid session credentials and then replaying the intercepted credentials toward the same device at a later time. A successful exploit could allow the attacker to access the web-based management interface with administrator privileges.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-switches-tokens-UzwpR4e5
Scores
CVSS v3
8.1
EPSS
0.0050
EPSS Percentile
66.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (50)
cisco/cbs250-16p-2g_firmware
< 3.1
cisco/cbs250-16t-2g_firmware
< 3.1
cisco/cbs250-24fp-4g_firmware
< 3.1
cisco/cbs250-24fp-4x_firmware
< 3.1
cisco/cbs250-24p-4g_firmware
< 3.1
cisco/cbs250-24p-4x_firmware
< 3.1
cisco/cbs250-24pp-4g_firmware
< 3.1
cisco/cbs250-24t-4g_firmware
< 3.1
cisco/cbs250-24t-4x_firmware
< 3.1
cisco/cbs250-48p-4g_firmware
< 3.1
... and 40 more
Published
Nov 04, 2021
Tracked Since
Feb 18, 2026