A critical flaw has been identified in the implementation of the TACACS+ protocol within Cisco IOS and IOS XE Software, which could enable unauthenticated, remote attackers to bypass authentication or gain access to sensitive information. The vulnerability arises when the software fails to verify the presence of a required TACACS+ shared secret, leaving affected devices exposed to man-in-the-middle (MitM) attacks. Cisco discovered this issue internally during the investigation of a Technical Assistance Center (TAC) support case and has since issued a security advisory along with software patches to address the problem.

The vulnerability primarily impacts devices running susceptible versions of Cisco IOS or IOS XE that are configured to use TACACS+ without defining a shared secret for every TACACS+ server. In such scenarios, attackers positioned between the Cisco device and the TACACS+ server can intercept unencrypted TACACS+ messages to harvest sensitive information. More critically, attackers could impersonate the TACACS+ server to approve authentication requests, potentially granting themselves full unauthorized access to the network device.

Cisco has provided immediate guidance for administrators to assess their exposure. By using CLI commands such as show running-config | include tacacs, administrators can verify whether TACACS+ is enabled and confirm if every TACACS+ server entry is configured with its corresponding shared secret. If any server lacks a secret, the device is considered vulnerable and must be remediated. Cisco strongly recommends upgrading to the patched software releases as the definitive solution, as they permanently eliminate the flaw.

As a temporary mitigation, administrators can configure a shared secret for each TACACS+ server to block exploitation attempts. While effective in reducing the immediate risk, Cisco stresses that this should only be treated as a stop-gap measure until affected devices are upgraded to fixed versions. Importantly, Cisco’s Product Security Incident Response Team (PSIRT) has stated that there are currently no known public disclosures or active exploitation of this vulnerability in the wild, though prompt action is advised to prevent potential misuse.