CVE-2004-1099 — Vulnetix

CVE-2004-1099 PUBLISHED CVSS 10 CRITICAL

Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a "cryptographically correct" certificate with valid fields such as the username.

EPSS 2.16% · 84.6th percentile

Risk Scores

CVSS 2.0

EPSS Score

2.16%

84.6th percentile

Affected Products

Vendor	Product	Versions
cisco	secure_acs_solution_engine
n/a	n/a	*
cisco	secure_access_control_server	3.3\(1\), 3.3.1

Exploit Intelligence

20041102 Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication (circl)
ciscosecure-eaptls-auth-bypass(17936) (circl)
11577 (circl)
P-028 (circl)

Timeline

Nov 2, 2004 CVE Published
Feb 4, 2022 EPSS Score
Mar 29, 2022 EPSS Score
Jul 12, 2022 EPSS Score
Sep 4, 2022 EPSS Score
Oct 26, 2022 EPSS Score
Dec 18, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 23, 2023 EPSS Score
Apr 3, 2023 EPSS Score
May 25, 2023 EPSS Score
Sep 8, 2023 EPSS Score

References

20041102 Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication vendor-advisory
ciscosecure-eaptls-auth-bypass(17936) vdb
11577 vdb
P-028 third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2004-1099 advisory

Open in Interactive Console →