LiveActive security incident?Get immediate response
CVE Record

CVE-2019-1859: Cisco Small Business Switches Secure Shell Certificate Authentication Bypass Vulnerability

A vulnerability in the Secure Shell (SSH) authentication process of Cisco Small Business Switches software could allow an attacker to bypass client-side certificate authentication and revert to password authentication. The vulnerability exists because OpenSSH mishandles the authentication process. An attacker could exploit this vulnerability by attempting to connect to the device via SSH. A successful exploit could allow the attacker to access the configuration as an administrative user if the default credentials are not changed. There are no workarounds available; however, if client-side certificate authentication is enabled, disable it and use strong password authentication. Client-side certificate authentication is disabled by default.

HighCVSS 7.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This flaw can weaken SSH login protection on affected Cisco Small Business 200 Series Smart Switches. If certificate-based client authentication is enabled, an attacker can force SSH to fall back to password authentication. The main business risk is administrative access if devices still use default or weak credentials, exposing network configuration and control.

Executive priority

Treat as high priority for managed network infrastructure, especially internet- or broadly reachable switch management interfaces. Urgency is lower where SSH is restricted, certificate authentication is disabled, and strong non-default credentials are enforced.

Technical view

In affected Cisco Small Business 200 Series Smart Switches software, OpenSSH mishandles SSH authentication, allowing bypass of client-side certificate authentication and fallback to password authentication. Cisco rates it CVSS 3.0 7.2, high severity, with network reachability, low attack complexity, and high confidentiality, integrity, and availability impact.

Likely exposure

Exposure is most likely where affected switches allow SSH access, client-side certificate authentication is enabled, and default or weak administrative passwords remain. The provided bundle identifies Cisco Small Business 200 Series Smart Switches only; broader product impact is not assumed.

Exploitation context

The bundle does not show CISA KEV listing or confirmed active exploitation. Cisco describes exploitation as an SSH connection attempt that causes fallback to password authentication, with administrative access possible if default credentials were not changed.

Researcher notes

The record attributes the issue to OpenSSH authentication handling in Cisco Small Business switch software. Evidence supports authentication downgrade to password auth, not direct password bypass. No workaround is listed, but Cisco recommends disabling client-side certificate authentication and using strong password authentication.

Mitigation direction

  • Check Cisco advisory guidance for fixed software or model-specific instructions.
  • Disable client-side certificate authentication if it is enabled.
  • Use strong, non-default administrative passwords for switch management.
  • Restrict SSH management access to trusted administrative networks.
  • Inventory affected Cisco Small Business 200 Series switches.

Validation and detection

  • Identify deployed Cisco Small Business 200 Series Smart Switches.
  • Confirm whether SSH management is enabled and reachable.
  • Check whether client-side certificate authentication is enabled.
  • Verify default credentials have been changed everywhere.
  • Review Cisco advisory status for the installed software version.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-285: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-1859 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.2 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.2CVSS 3.0HighCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H1.25.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

7.2High
CVSS 3.0 vector shape for CVE-2019-1859Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Small Business 200 Series Smart Switchesunspecified, unspecifiedListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-285 · source CWE mapping

Improper Authorization

Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.