{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ios/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-33018"},{"cvss":7.1,"id":"CVE-2026-33020"},{"id":"CVE-2026-41144"}],"_cs_exploited":false,"_cs_products":["ASA","Secure Firewall Threat Defense","IOS","IOS XE","IOS XR"],"_cs_severities":["critical"],"_cs_tags":["cisco","vulnerability","rce","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability allowing authentication bypass.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code executes with administrator privileges, granting the attacker full control over the device.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised device as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eAttacker compromises additional systems and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsult Cisco\u0026rsquo;s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T05:43:56Z","date_published":"2026-04-24T05:43:56Z","id":"/briefs/2024-07-cisco-multiple-vulns/","summary":"Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.","title":"Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["IOS"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.persistence","attack.credential-access","attack.t1562.001","attack.t1556.004"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThe disabling of 802.1X authentication on a Cisco network device can bypass Network Access Control (NAC) mechanisms, potentially granting unauthorized devices access to the internal network. Attackers or malicious insiders might disable dot1x to establish persistence or facilitate lateral movement by connecting rogue devices to the network. This can be accomplished through CLI commands such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;, depending on the IOS version. These commands either disable 802.1X on a specific interface or globally across the device. The targeted scope is Cisco network devices utilizing 802.1X for network access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains privileged access to a Cisco network device via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker executes CLI commands to disable 802.1X authentication on a specific interface or globally.\u003c/li\u003e\n\u003cli\u003eCommands used may include \u0026lsquo;access-session port-control force-authorized\u0026rsquo;, \u0026lsquo;authentication port-control force-authorized\u0026rsquo;, \u0026lsquo;dot1x port-control force-authorized\u0026rsquo;, \u0026rsquo;no access-session port-control\u0026rsquo;, \u0026rsquo;no authentication port-control\u0026rsquo;, \u0026rsquo;no dot1x port-control\u0026rsquo;, or \u0026rsquo;no dot1x system-auth-control\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe network interface transitions to a force-authorized state, bypassing the normal authentication process.\u003c/li\u003e\n\u003cli\u003eAn unauthorized device is connected to the compromised network interface.\u003c/li\u003e\n\u003cli\u003eThe unauthorized device gains network access without proper authentication or authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys malicious payloads across the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of dot1x can lead to unauthorized network access, allowing attackers to bypass security controls. This can result in the compromise of sensitive data, the spread of malware, and the disruption of network services. The number of affected devices and the scope of the compromise depend on the network architecture and the attacker\u0026rsquo;s objectives. The impact could range from a single compromised workstation to a full-scale network breach affecting thousands of devices and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Dot1x Disabled\u003c/code\u003e to your SIEM to detect the execution of commands that disable 802.1X authentication.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco AAA logs for events containing keywords such as \u0026lsquo;access-session port-control force-authorized\u0026rsquo; and \u0026rsquo;no dot1x system-auth-control\u0026rsquo; to identify potential attempts to disable dot1x.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative access to Cisco network devices to prevent unauthorized command execution.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the configuration of Cisco network devices to ensure that 802.1X is enabled and properly configured on all relevant interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-cisco-dot1x-disabled/","summary":"Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.","title":"Cisco 802.1X (dot1x) Disabled on Network Interface","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-dot1x-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — IOS","version":"https://jsonfeed.org/version/1.1"}