CVE-2021-34746
CRITICALCisco Enterprise NFV Infrastructure Software < 4.6.1 - Authentication Bypass via TACACS+ Input Injection
Title source: llmDescription
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh
Exploit, Third Party Advisory x_refsource_misc
https://github.com/orangecertcc/security-research/security/advisories/GHSA-gqx8-c4xr-c664
Scores
CVSS v3
9.8
EPSS
0.0762
EPSS Percentile
92.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-289
CWE-287
Status
published
Products (1)
cisco/enterprise_nfv_infrastructure_software
< 4.6.1
Published
Sep 02, 2021
Tracked Since
Feb 18, 2026