Cisco has put out a warning about numerous vulnerabilities in its Network Building Mediator (NBM) products that could lead to malicious parties taking complete control over affected devices.
The NBM connects a building's operations with IT to help with a facility's sustainability, energy consumption and efficiency.
In an advisory note, Cisco explained that certain security gaps allow unauthorised users to change a device's configuration.
"A malicious user must authenticate as an existing user but does not need to have administrator privileges or know administrator credentials to modify device configuration," the company noted.
Other vulnerabilities mean that interactions between an operator workstation and the Cisco Network Building Mediator could be intercepted by any willing person.
"A malicious user able to intercept the sessions could learn any credentials used during intercepted sessions (for administrators and non-administrators alike) and could subsequently take full control of the device," Cisco explained.
Other threats include potential password theft and account data loss.
Specifically, all weaknesses affect the legacy Richards-Zeta Mediator 2500 product and Cisco Network Building Mediator NBM-2400 and NBM-4800 models as well as Mediator Framework software releases prior to 3.1.1.
The NBM is a version of the Richards-Zeta Mediator that has been adapted by Cisco.
Given that the "workarounds" offered by Cisco are somewhat limited, affected firms will want to get hold of the free software updates that the provider has issued to deal with the security holes.
-
Cisco eyes network security gains for agentic AINews New network security updates aim to secure AI agents across enterprises
-
Cisco patches critical flaw affecting Identity Services EngineThe networking giant has urged enterprises to update immediately
-
96% of businesses have low cyber-readiness, claims CiscoThe 2025 Cisco Cybersecurity Readiness Index shows a concerning number of businesses globally are unprepared for rising AI-related threats.
-
Cisco takes aim at AI security at RSAC with ServiceNow partnershipNews The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco dispels Kraken data breach claims, insists stolen data came from old attackNews Cisco has refuted claims it has suffered a data breach after the Kraken threat group posted stolen data online.
-
Cisco patches critical flaws in Identity Services EngineNews Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
