Cyber Resilience

CVE-2018-0147

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 08 March 2018

Published
08 March 2018
Modified
14 January 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0395 88.6th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-0147 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Secure Access Control System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in Java deserialization affects Cisco Secure Access Control System (ACS) versions prior to 5.8 patch 9. The issue stems from insecure handling of user-supplied serialized objects, tracked under Cisco Bug ID CSCvh25988 and assigned CWE-20 and CWE-502. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack complexity with no required credentials or user interaction.

An unauthenticated remote attacker can exploit the flaw by sending a crafted serialized Java object to the affected ACS instance. Successful exploitation grants the ability to execute arbitrary commands on the device with root privileges.

The referenced Cisco Security Advisory at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2 addresses the issue and identifies the availability of release 5.8 patch 9 as the corrective update. Additional details appear in the associated SecurityFocus and SecurityTracker entries.

EU & UK References

Vulnerability details

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization…

more

of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
secure access control system
5.2\(0.3\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied serialized Java objects to reject crafted malicious content before deserialization occurs.

prevent

Mandates prompt application of the vendor patch (5.8 patch 9) that eliminates the insecure deserialization flaw.

preventdetect

Provides malicious-code detection mechanisms that can identify and block exploit payloads attempting to abuse Java deserialization.

References