CISA Known Exploited Vulnerability

CVE-2018-0147

Cisco · Secure Access Control System (ACS)

Cisco Secure Access Control System Java Deserialization Vulnerability

Date added 2022-03-25

BOD 22-01 due date 2022-04-15

CWE CWE-20

Ransomware Unknown

CISA description

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software.

Required action

Apply updates per vendor instructions.

Notes & references

https://nvd.nist.gov/vuln/detail/CVE-2018-0147

Where this lands in 800-53

Vulnerability data triggers these controls during assessment and continuous monitoring.

RA-5 · Vulnerability Monitoring and Scanning
SI-2 · Flaw Remediation
CM-6 · Configuration Settings
SI-7 · Software, Firmware, and Information Integrity
CM-8 · System Component Inventory

External lookups

NVD · CVE-2018-0147
CVE.org · CVE-2018-0147
CISA KEV catalog (canonical)