CVE-2022-20662 — Vulnetix

CVE-2022-20662 PUBLISHED CVSS 6.099999904632568 MEDIUM

A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user.

EPSS 0.15% · 35.4th percentile

Risk Scores

CVSS 3.1

6.099999904632568

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.15%

35.4th percentile

Affected Products

Vendor	Product	Versions
Cisco	Cisco Duo	n/a
cisco	duo	0

Exploit Intelligence

20220928 Cisco Duo for macOS Authentication Bypass Vulnerability (circl)

Timeline

Sep 30, 2022 CVE Published
Oct 1, 2022 EPSS Score
Nov 14, 2022 EPSS Score
Dec 29, 2022 EPSS Score
Feb 11, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 11, 2023 EPSS Score
Jun 24, 2023 EPSS Score
Aug 8, 2023 EPSS Score
Sep 21, 2023 EPSS Score
Nov 4, 2023 EPSS Score

References

20220928 Cisco Duo for macOS Authentication Bypass Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-20662 advisory

Open in Interactive Console →