Cisco Enterprise NFV Infrastructure Software VNC Authentication Bypass Vulnerability Key Information Advisory ID: cisco-sa-20190807-nfvis-vnc-authbypass CVE ID: CVE-2019-1895 CWE ID: CWE-306 Severity: High CVSS Score: 9.8 Cisco Bug IDs: CSCvm75496 CSCvp00281 Summary Vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user. Attackers can exploit this vulnerability by intercepting an administrator VNC session request prior to login. Successful exploitation could allow an attacker to watch the administrator console session or interact with it, allowing admin access to the affected device. Affected Products Cisco Enterprise NFV Infrastructure Software (NFVIS) releases earlier than 3.12.1. Workarounds No workarounds are available. Fixed Software Cisco has released free software updates that address the vulnerability. Customers should ensure they have a valid license and follow the terms of the Cisco software license. Source This vulnerability was found during internal security testing. URL https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass