Cisco has released a security advisory to address a vulnerability in Cisco Secure Access Control Server (ACS) versions 4.0 through 18.104.22.168. This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary commands. The vulnerability is only present when Cisco ACS is configured as a RADIUS server.
Cisco has released software updates that address this vulnerability.
US-CERT encourages administrators of this software to review Cisco Security Advisory 20130828-ACS, and follow best practice security policies to determine if their organization is affected and the appropriate response.