Cisco just published a vulnerability that could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The CVE-2021-1388 vulnerability ranks 10 (out of 10) on the CVSS vulnerability-rating scale. The weakness is considered critical because even an unauthenticated attacker could remotely exploit it through the affected API. Affected products were announced in May 2020 – so the problem has been around for a while. Even so Cisco claims there are no (known) exploits in the wild.
Cisco also published another vulnerability (CVE-2021-1361) in their network operating system that could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device. This one has a CVSS score of 9.8 and could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration. The vulnerability makes affected switches vulnerable by default. An example scenario is that an attacker could add a user account without the device administrator knowing.
The CVSS scoring system is generic and doesn’t take into account how the vulnerability relates to your specific environment. That means that to really understand how critical these (or any other weaknesses) are, you need to understand them in your specific context. This means analyzing how affected assets relate to all other assets (especially crown jewels) in the organization (back to graphs again!) by examining connectivity risk scenarios and using them to calculate the actual risk induced by the vulnerability.