Cisco ACE 4710 Device Manager GUI Remote Command Injection Vulnerability (cisco-sa-20160224-ace)

high Nessus Plugin ID 89690


The remote device is affected by a remote command injection vulnerability.


The Cisco Application Control Engine (ACE) software installed on the remote Cisco ACE 4710 device is an A5 version prior to A5(3.0). It is, therefore, affected by a remote command injection vulnerability in the device manager GUI due to improper validation of user-supplied input in HTTP POST requests. An authenticated, remote attacker can exploit this to bypass the role-based access control (RBAC) restrictions and execute CLI commands with 'admin' privileges.


Upgrade to Cisco ACE version A5(3.1) or later.

See Also

Plugin Details

Severity: High

ID: 89690

File Name: cisco-sa-20160224-ace.nasl

Version: 1.6

Type: local

Family: CISCO

Published: 3/4/2016

Updated: 11/20/2019

Configuration: Enable paranoid mode

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2016-1297


Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:application_control_engine_software

Required KB Items: Host/Cisco/ACE/Version, Host/Cisco/ACE/Model, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 10/1/2014

Vulnerability Publication Date: 2/24/2016

Reference Information

CVE: CVE-2016-1297

BID: 83390


IAVA: 2016-A-0057

CISCO-SA: cisco-sa-20160224-ace