Cisco Java deserialization function Untrusted Data Improper Input Validation Vulnerability 


A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.


The information has been provided by Francisco Ribeiro.

The original article can be found at:



The vulnerability is due to the insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. 

Vulnerable Systems: 

Cisco Security Manager releases earlier than Release 4.18.

CVE Information:


Disclosure Timeline:

Published Date:10/02/2019