Cisco Intersight unauthenticated access to clusters (CVE-2026-5944)

Vendor-confirmed - CVE-2026-5944 is a high-severity improper access control vulnerability in the Cisco Intersight Device Connector for Nutanix Prism Central that allows an unauthenticated attacker with network access to enumerate cluster metadata and invoke maintenance workflows, risking workload disruption.

Overview

CVE-2026-5944 resides in the Cisco Intersight Device Connector service when integrated with Nutanix Prism Central. The connector exposes an API passthrough endpoint on TCP port 7373 that lacks authentication checks. Any device or user within the network scope of the deployment can reach this endpoint without credentials.

The exposed API primarily supports read operations, enabling an attacker to enumerate cluster metadata such as virtual machine inventories, cluster configuration details, and overall topology. Although the API does not grant persistent configuration changes or expose credentials and sensitive user data, it also allows certain cluster maintenance workflows to be invoked.

Impact

Successful exploitation lets an unauthenticated attacker disrupt active workloads within the affected Nutanix environment. This can lead to loss of service availability for applications running on the cluster. The vulnerability is scored CVSS 8.2 (HIGH) due to the network attack vector, low complexity, and no required privileges or user interaction.

Affected Products

This vulnerability affects the Cisco Intersight Device Connector deployed with Nutanix Prism Central. Specific version ranges have not been detailed; all installations exposing port 7373 to the internal network are potentially at risk.

Remediation and Mitigation

Cisco has not yet released a security patch for this vulnerability. As a temporary mitigation:

• Restrict network access to TCP port 7373 on Nutanix Prism Central systems. Use firewall rules or network segmentation to limit access to only trusted administrative hosts.
• Monitor logs for unexpected API requests to the passthrough endpoint on port 7373.
• Review and restrict the maintenance workflows that can be invoked via the API.

For the latest updates, consult the Cisco Security Advisory tracker. Organizations should also review related threats, such as the FIRESTARTER backdoor that persists on Cisco Firepower devices and the TeamPCP supply chain campaign for broader context on Cisco-related risks.

Security Insight

CVE-2026-5944 is a reminder that integration services often become overlooked attack surfaces. The passthrough pattern, where a connector exposes an internal API to the network without authentication, echoes past vulnerabilities in cloud management gateways. Vendors should treat every API endpoint exposed by a management connector as a critical security boundary, even when the endpoint is documented as “read-only” or “maintenance only.” For a broader view of current threats, see the weekly threat roundup of 10 critical CVEs.

Further Reading

• TeamPCP Supply Chain Campaign: Update 008 - 26-Day Paus
• Weekly Threat Roundup: 10 Critical CVEs & Two Major Breaches (Apr 20-26)
• FIRESTARTER backdoor persists on Cisco Firepower device
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs