Red Balloon Security, Inc. is disclosing two vulnerabilities affecting the products of Cisco Systems, Inc. (“Cisco”). The first, known as 😾😾😾, allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second is a remote command injection vulnerability against Cisco IOS XE version 16 that allows remote code execution as root. By chaining the 😾😾😾 and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

Today, Cisco is taking a big step towards empowering developers with more comprehensive and practical tools for building conversational applications by open-sourcing the MindMeld Conversational AI Platform.