Cyber Posture

CVE-2026-5944

High

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0011 29.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication.…

more

An unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the exposed endpoint to enumerate cluster metadata, including virtual machine information and cluster configuration details. While the API primarily supports read-only operations, it also allows certain cluster maintenance workflows to be invoked. Although this vulnerability does not allow persistent modification of system configurations or access to credentials or sensitive user data, successful exploitation may result in disruption of active workloads, leading to loss of service availability within the affected environment.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly addresses the missing authentication for the API passthrough by requiring explicit authorization of any permitted actions without identification or authentication.

CM-7 Least Functionality good match
prevent

Prohibits or restricts unnecessary ports, protocols, and services like TCP 7373, preventing exposure of the vulnerable endpoint.

SC-7 Boundary Protection good match
preventdetect

Monitors and controls communications at system boundaries to block network access to the unauthenticated endpoint and detect anomalous traffic.

Security SummaryAI

CVE-2026-5944 is an improper access control vulnerability in the Cisco Intersight Device Connector for Nutanix Prism Central. The affected component exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without requiring authentication. This issue, associated with CWEs-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and was published on April 28, 2026.

An unauthenticated attacker with network access to the exposed endpoint can exploit this vulnerability by sending crafted requests. Exploitation enables enumeration of cluster metadata, including virtual machine information and cluster configuration details. Although the API primarily supports read-only operations, it also permits invocation of certain cluster maintenance workflows, potentially resulting in disruption of active workloads and loss of service availability. The vulnerability does not allow persistent modification of system configurations or access to credentials or sensitive user data.

Nutanix has issued a security advisory detailing the vulnerability, available at https://download.nutanix.com/alerts/Security_Advisory_0046.pdf, along with related documentation on their portal (https://portal.nutanix.com/page/documents/list?type=software&filterKey=software&filterVal=Prism) and support site (https://www.nutanix.com/support). Practitioners should consult these resources for specific mitigation guidance and patch information.

Details

CWE(s)
CWE-306CWE-862

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1580 Cloud Infrastructure Discovery Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability exposes an unauthenticated network-accessible API endpoint, directly enabling exploitation of public-facing applications (T1190), system information discovery via cluster/VM metadata enumeration (T1082), cloud infrastructure discovery (T1580), and endpoint denial of service through invocation of disruptive maintenance workflows (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References