A critical vulnerability in the TACACS+ protocol implementation for Cisco IOS and IOS XE Software has been identified. This flaw could allow an unauthenticated, remote attacker to bypass authentication controls or access sensitive data.

The issue arises from the software’s failure to verify the presence of a required TACACS+ shared secret, creating an opportunity for machine-in-the-middle (MitM) attacks.

Cisco has released software updates to address the vulnerability and has provided a workaround for immediate mitigation.

Authentication Bypass and Data Exposure

This vulnerability occurs when affected devices handle TACACS+ authentication without a configured shared secret key.

An attacker on the network between the Cisco device and the TACACS+ server can exploit this by intercepting TACACS+ messages, which remain unencrypted without the secret, thus accessing sensitive information.

The attacker could also impersonate the TACACS+ server, falsely approving any authentication request from the device. Successful exploitation could grant unauthorized access to the network device or expose confidential data.

This vulnerability was discovered internally during the resolution of a Cisco Technical Assistance Center (TAC) support case.

A Cisco device is only vulnerable if it is running a susceptible version of Cisco IOS or IOS XE Software and is configured to use TACACS+ without a shared secret for every server.

Administrators can determine exposure by inspecting the device’s configuration. Using command-line interface (CLI) commands such as show running-config | include tacacs, administrators can confirm if TACACS+ is enabled.

If enabled, they must verify a shared secret key is configured for every TACACS+ server. Without it, the device is vulnerable and requires immediate remediation.

Cisco has issued a security advisory detailing the vulnerability and has released fixed software for affected products. It is strongly recommended to upgrade to a patched version of IOS or IOS XE to resolve the issue.

A temporary workaround is available. Administrators can mitigate the vulnerability by ensuring a shared secret key is configured for every TACACS+ server on their devices.

While this workaround prevents exploitation, Cisco considers it temporary until software upgrades can be applied.

The Cisco Product Security Incident Response Team (PSIRT) has indicated no known public announcements or malicious use of this vulnerability in the wild.