Unauthenticated API Access in Cisco Intersight Device Connector

An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. An unauthenticated attacker with network access can exploit this vulnerability by sending crafted requests to the exposed endpoint to enumerate cluster metadata, including virtual machine information and cluster configuration details. While the API primarily supports read-only operations, it also allows certain cluster maintenance workflows to be invoked. Although this vulnerability does not allow persistent modification of system configurations or access to credentials or sensitive user data, successful exploitation may result in disruption of active workloads, leading to loss of service availability within the affected environment.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-5944 represents a critical authentication bypass in the Cisco Intersight Device Connector for Nutanix Prism Central, where an unauthenticated API passthrough endpoint on TCP port 7373 exposes sensitive cluster metadata without any access controls. This vulnerability affects organizations running Nutanix Prism Central deployments integrated with Cisco Intersight, allowing any attacker with network access to the deployment environment to enumerate virtual machine information, cluster configurations, and other operational details. The combination of CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization) makes this particularly dangerous, as attackers can gather reconnaissance data necessary for lateral movement or privilege escalation attacks without credentials.

Casky's Claude-powered security skills would detect exploitation patterns associated with MITRE ATT&CK techniques T1078 (Valid Accounts) and T1548 (Abuse Elevation Control Mechanism) by identifying unauthenticated requests to TCP 7373 returning sensitive API responses that should require authentication. Practitioners using Casky would observe anomalous findings including: repeated API endpoint queries originating from unexpected network segments, successful enumeration of cluster metadata without corresponding authentication logs, and reconnaissance-pattern traffic requesting /api/* paths that bypass Intersight authentication mechanisms. The extended reasoning capability would correlate these network indicators with the absence of valid credential usage, flagging the passthrough endpoint as an unauthenticated access point requiring immediate patching and network segmentation to prevent further exposure of Nutanix infrastructure details.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-5944.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-5944

Casky has 261 skills that investigate the attack patterns behind CVE-2026-5944. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn