An unauthenticated, remote attacker could exploit the flaw on deployments that have REST API enabled. The security issue is now identified as CVE-2019-1867 and its cause is improper validation of API requests. An attacker leveraging it successfully can bypass authentication on the REST API and run arbitrary actions with administrative privileges. The vulnerability was found internally during security testing and there is no evidence that the glitch has been exploited in the wild. The company rolled out patches for each of its major versions of Software Release 4.1, 4.2,. 4.3, or 4.4.
Source: https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-vulnerability-in-elastic-services-controller/