Cisco Patched SQL Injection Vulnerability in Cisco Prime License Manager

Cisco Patched a critical SQL Injection Vulnerability in Cisco Prime License Manager which allows an unauthenticated remote attacker to execute arbitrary SQL queries.

SQL injection is a code injection technique, in which attackers take non-validated input vulnerabilities and inject SQL commands through web applications that are executed in the backend database.

The vulnerability with Cisco Prime License Manager is due to lack of proper validation with the user-supplied input SQL queries. An unauthenticated remote attacker could exploit the vulnerability by sending an HTTP post request that contains a malicious SQL query.

Successful exploitation of the vulnerability could allow an attacker to delete or modify arbitrary data or to gain privilege access as Postgres user. The vulnerability can be tracked as CVE-2018-15441 and Cisco released software updates to address the vulnerability.

The vulnerability affects Cisco Prime License Manager Releases 11.0.1 and above, Cisco Unified Communications Manager and Cisco Unity Connection Releases 12.0 and later are not affected, as the License Manager not included in these versions.

Cisco released a patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn for Cisco Prime License Manager and can be applicable to Cisco Unified Communications Manager and Cisco Unity Connection 11.5(1) only, the customer who uses earlier release should update for 11.5(1) reads the Cisco Security advisory.

The patch file along with the instructions can be downloaded from here.

Related Read

Hackers Exploit Cisco Zero Day Vulnerability in Wild Resulting in DoS Condition

Cisco Released Security Updates & Fixed 37 Vulnerabilities that Affected Cisco Products

Cisco Patched Critical Vulnerability With Video Surveillance Manager Appliance

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Oracle Reports Data Breach, Initiates Client Notifications

Oracle Corporation has confirmed a data breach involving its older Gen 1 servers, marking its…

26 seconds ago

Vite Development Server Flaw Allows Attackers Bypass Path Restrictions

A critical security vulnerability, CVE-2025-31125, has been identified in the Vite development server. Due to improper…

46 minutes ago

New Android Spyware Tricks Users by Demanding Passwords for Uninstallation

A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…

1 hour ago

Malicious PDFs Responsible for 22% of All Email-Based Cyber Threats

Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…

2 hours ago

Ex-ASML Russian Employee Smuggled Trade Secrets to Moscow via USB

A former employee of Dutch semiconductor firm ASML, identified as German A. (43), stands accused…

4 hours ago

Critical Apache Parquet Vulnerability Allows Remote Code Execution

A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.…

4 hours ago