CVE-1999-0161 in IOS
Summary
by MITRE
In Cisco IOS 10.3, with the tacacs-ds or tacacs keyword, an extended IP access control list could bypass filtering.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/16/2026
The vulnerability described in CVE-1999-0161 represents a significant security flaw in Cisco IOS version 10.3 that affects the handling of extended IP access control lists when the tacacs-ds or tacacs keyword is configured. This issue specifically impacts network devices running Cisco IOS software where TACACS+ authentication is enabled through the tacacs-ds or tacacs keyword configuration parameters. The flaw allows malicious actors to circumvent network security controls that should otherwise restrict or permit specific traffic flows based on extended IP access control list rules.
The technical nature of this vulnerability stems from improper processing of access control list entries when TACACS+ authentication is active. When the tacacs-ds or tacacs keyword is applied to extended IP access control lists, the Cisco IOS software fails to properly validate or enforce the access control rules. This creates a condition where packets that should be denied by the access control list can pass through the network device, effectively bypassing the intended security filtering mechanisms. The vulnerability manifests specifically in the interaction between the TACACS+ authentication system and the extended IP access control list processing engine within the IOS kernel.
The operational impact of this vulnerability is substantial as it undermines the fundamental security posture of network devices running affected Cisco IOS versions. Network administrators who rely on extended IP access control lists for traffic filtering and security policy enforcement may find their protections rendered ineffective. This bypass allows unauthorized network access patterns that could enable data exfiltration, lateral movement within the network, or other malicious activities. The vulnerability particularly affects enterprise networks where TACACS+ is commonly used for remote access authentication and where extended access control lists are deployed to restrict network traffic based on source and destination IP addresses, ports, and protocols.
Organizations affected by this vulnerability should immediately implement mitigations including updating to Cisco IOS versions that address this specific flaw, disabling the tacacs-ds or tacacs keyword configuration when extended IP access control lists are in use, or implementing alternative security controls such as firewall rules or network segmentation. The vulnerability aligns with CWE-284 Access Control Issues, specifically concerning improper access control enforcement when multiple authentication mechanisms interact with access control lists. From an ATT&CK perspective, this vulnerability enables techniques such as privilege escalation and defense evasion by allowing bypass of network-level access controls that should prevent unauthorized network access patterns. Network security teams should conduct immediate audits of their TACACS+ configurations and access control list implementations to identify and remediate affected devices.