Cisco has released security updates to address a critical vulnerability in the IOx application environment for Cisco IOS Software that could enable authenticated remote attackers to access the Guest Operating System (Guest OS) as the root user. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. There are currently no workarounds to mitigate CVE-2019-12648 for devices that can’t be quickly upgraded, the attack vector can be removed by uninstalling Guest OS until the devices can be patched.
Source: https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-iox-flaw-allowing-root-access-to-guest-os/