CVE-2021-1406
Published: 08 April 2021
Summary
CVE-2021-1406 is a medium-severity Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability in Cisco Unified Communications Manager. Its CVSS base score is 4.9 (Medium).
Operationally, ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-6873
Vulnerability details
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability is due to improper…
more
inclusion of sensitive information in downloadable files. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to obtain hashed credentials of system users. To exploit this vulnerability an attacker would need to have valid user credentials with elevated privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Monitoring directly detects unauthorized disclosure of sensitive information, enabling response to exposures.
A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.
The control's identification, isolation, alerting, and eradication steps directly limit the impact and exploitation window of unauthorized sensitive information exposure.
Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.
The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure.
Tainting directly detects exfiltration resulting from exposure of sensitive information to unauthorized actors.
OPSEC controls directly protect supply chain information from unauthorized observation or disclosure.