Skip Navigation

March 3, 2021 |

Cisco fixes a critical severity flaw in ACI MSO

Loading table of contents...

On 24 February 2021, Cisco fixed a critical vulnerability in their Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO). This vulnerability ranked 10 out of 10 on the Common Vulnerability Scoring System (CVSS) scale.


  • The flaw, tracked as CVE-2021-1388, is in the Cisco ACI Multi-Site Orchestrator (MSO) - Cisco Systems’ inter-site policy manager software.
  • The flaw impacts only Cisco ACI MSO 3.0 versions installed on the Application Services Engine and could allow a remote attacker to bypass authentication on an affected device.
  • According to Cisco, a malicious actor could use the flaw to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller (APIC) devices.

Why it's important

  • Although Cisco is not aware of any attempts to abuse the flaw for malicious purposes, its maximum severity signifies the ease of exploitation and may attract malicious actors to take advantage of the flaw in the near future.
  • We recommend reviewing the list of products affected and applying updates using guidance in the References section below.
  • In order to leverage this flaw, a threat actor needs to access the API.  Restricting API access to known systems is a great defence-in-depth strategy that can limit exposure to these types of vulnerabilities.