Cisco Duo Self-Service Portal Command Injection Vulnerability

A command injection vulnerability has been identified in the self-service portal of Cisco Duo. This issue allows an unauthenticated, remote attacker to inject arbitrary commands into emails sent by the service. The vulnerability arises from inadequate input validation, enabling attackers to embed malicious content in emails delivered to users.

Impact

Exploitation of this vulnerability could result in the injection of malicious content into emails sent by the Cisco Duo self-service portal, potentially leading to phishing or other social engineering attacks on recipients.

Remediation

Cisco has addressed this vulnerability in the cloud-based Cisco Duo self-service portal. No user action is required, and customers seeking additional information can contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.