Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
TitleCisco ACE Application Control Engine Device Manager and Application Networking Manager Vulnerabilities
Namecisco-sa-20090225-anmFirst vendor Publication2009-01-07
VendorCiscoLast vendor Modification2009-02-25
Severity (Vendor) N/ARevision1.0

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Multiple vulnerabilities exist in the Cisco Application Networking Manager (ANM) and Cisco Application Control Engine (ACE) Device Manager applications. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access.

This security advisory identifies the following vulnerabilities:

* ACE Device Manager and ANM invalid directory permissions vulnerability
* ANM default user credentials vulnerability
* ANM MySQL default credentials vulnerability
* ANM Java agent privilege escalation

Cisco has released free software updates that address these vulnerabilities. A workaround that mitigates one of the issues is available.

Original Source

Url : http://www.cisco.com/en/US/products/products_security_advisory09186a0080a7 (...)

CWE : Common Weakness Enumeration

67 %CWE-255Credentials Management
33 %CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration


OpenVAS Exploits

2009-06-05Name : Ubuntu USN-723-1 (git-core)
File : nvt/ubuntu_723_1.nasl

Open Source Vulnerability Database (OSVDB)

52379Cisco ANM Java Agent Unspecified Remote Privilege Escalation
52378Cisco ANM MySQL root Account Default Password
52377Cisco ANM Installation Default User Credentials
52376Cisco ACE Device Manager Multiple Unspecified Traversals

Information Assurance Vulnerability Management (IAVM)

2009-03-05IAVM : 2009-T-0016 - Multiple Vulnerabilities in Cisco ACE Device Manager and Cisco Application Ne...
Severity : Category II - VMSKEY : V0018515

Nessus® Vulnerability Scanner

2013-09-16Name : The remote device is missing a vendor-supplied security patch.
File : cisco-sa-20090225-anm.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
2014-02-17 10:21:55
  • Multiple Updates
2013-11-11 12:37:28
  • Multiple Updates
2013-05-11 00:42:33
  • Multiple Updates