_explained / cisco-intersight-nutanix-api-exposed-no-password
HIGH PLAIN ENGLISH 5 min read

A Hidden Door in Cisco's Cloud Software Lets Attackers Peek Inside Your Data Center — No Password Required

A serious flaw in Cisco's Intersight software leaves corporate data centers exposed to snooping attackers. Here's what's at risk and what to do right now.

2026-04-28 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Somewhere inside your company's data center, there may be a door that anyone on your corporate network can walk through — no key, no badge, no password — and quietly read the blueprints of your entire infrastructure.

Who Is at Risk — and Why It Matters

This is the reality for every organization running Cisco Intersight alongside Nutanix Prism Central, a popular combination used by thousands of enterprises worldwide to manage their private cloud infrastructure. Hospitals, financial institutions, manufacturers, government agencies — anyone who uses this software stack to manage their virtual machines and server clusters is potentially exposed.

Nutanix counts over 25,000 customers globally, and Cisco Intersight is a cornerstone of modern hybrid cloud management. The flaw, tracked as CVE-2026-5944, scores a 8.2 out of 10 on the industry's severity scale — firmly in "High" territory. While attackers haven't been confirmed to exploit this in the wild yet, the window between "discovered" and "weaponized" has grown dangerously short in recent years. Security teams should treat this as urgent.

What's Actually Happening Here

Imagine your company's entire server operation is managed from a single control room. Inside that control room are floor plans of every computer, every virtual machine, every network configuration — essentially the complete architectural blueprint of your IT environment. Now imagine that control room has a side door, and someone forgot to put a lock on it. That's roughly what's happening here.

Cisco's Intersight software includes a component called the Device Connector, which acts as a bridge between your on-premise hardware and Cisco's cloud management platform. To do its job, it runs a local service that can relay certain commands and data. The problem is that this service is quietly listening for connections on a specific network port — and it will talk to anyone who connects, without ever asking who they are. An attacker who is already on your internal network (think: a rogue employee, a contractor with Wi-Fi access, or a hacker who's already broken through your outer defenses) can connect directly to this service and ask it questions. It will answer.

Those answers include detailed information about your virtual machines — their names, configurations, and relationships — as well as cluster-level setup details that would give an attacker an incredibly detailed map of your infrastructure. In a targeted attack, this kind of intelligence is gold. It tells a criminal exactly what's running, where the valuable systems are, and potentially how to move deeper into your environment. And according to the vulnerability description, it isn't strictly limited to just reading: certain cluster-level operations may also be possible, raising the stakes beyond simple snooping into potential manipulation.

The Technical Detail That Makes This Serious

For security researchers and network defenders: the exposed surface is an unauthenticated API passthrough endpoint bound to TCP port 7373 within the Device Connector for Nutanix Prism Central. The vulnerability class is improper access control (CWE-284) — meaning the service exists, is reachable, and performs privileged data operations, but enforces zero authentication on inbound requests. The attack vector is Network, requires no privileges, and demands no user interaction, giving it a CVSS 3.1 base score of 8.2 (High). The "passthrough" nature of the endpoint means requests may be forwarded upstream to Nutanix Prism Central's API layer, potentially inheriting elevated trust from the connector's internal position.

How This Was Found — and What We Know So Far

As of publication, Cisco has not confirmed any active exploitation of CVE-2026-5944 in the wild. There are no known ransomware campaigns, state-sponsored operations, or confirmed victim organizations tied to this vulnerability at this time. However, the security community's experience with similar authentication-bypass flaws on internal management interfaces — including past Cisco vulnerabilities affecting Smart Software Manager and IOS XE — shows that "no known exploitation" can change rapidly once a CVE number is public and proof-of-concept code begins circulating on exploit databases and hacker forums.

The nature of this flaw — an open port on an internal network interface — means it is unlikely to be discovered by external internet scanners like Shodan, which actually reduces the immediate noise but doesn't reduce the risk for organizations where an attacker already has a foothold. Insider threats and post-compromise lateral movement are the primary threat models here.

What You Should Do Right Now

If your organization uses Cisco Intersight with Nutanix Prism Central, take these three steps immediately:

  1. Apply Cisco's patch as soon as it is available. Monitor Cisco's Security Advisory portal (sec.cloudapps.cisco.com) for an updated Device Connector version that closes the unauthenticated endpoint on TCP port 7373. Cisco typically releases patched software versions in its advisory; do not wait for your next scheduled maintenance window — schedule an emergency change if needed.
  2. Immediately restrict network access to TCP port 7373 using firewall rules or network segmentation. If your management plane and production workloads share the same network segment, this is your most urgent action. Apply host-based firewall rules or network ACLs to ensure that only explicitly trusted management hosts can reach port 7373 on systems running the Intersight Device Connector. The fewer systems that can talk to this port, the smaller your exposure window while you wait for a patch.
  3. Audit your network logs for unexpected connections to port 7373 going back at least 90 days. Even though active exploitation hasn't been confirmed publicly, you cannot assume your environment is clean. Pull firewall logs, NetFlow data, or endpoint detection logs and look for any connection attempts — successful or failed — to this port from hosts that aren't your designated management systems. Treat any anomaly as a potential indicator of compromise and escalate to your incident response team.

CVE-2026-5944 carries a CVSS base score of 8.2 (High). No patch release date has been confirmed at time of publication. Organizations should monitor Cisco's official security advisories for updates. This article will be updated as new information becomes available.

// TOPICS
#api-passthrough#authentication-bypass#information-disclosure#access-control#cisco-intersight
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.