CVE-2022-20662
MEDIUMCisco Duo for macOS < 2.0.0 - Unauthenticated Authentication Bypass via Smart Card Login
Title source: llmDescription
A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user.
References (1)
Core 1
Core References
Mitigation, Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-macOS-bypass-uKZNpXE6
Scores
CVSS v3
6.1
EPSS
0.0015
EPSS Percentile
35.1%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (1)
cisco/duo
< 2.0.0
Published
Sep 30, 2022
Tracked Since
Feb 18, 2026