Preface: A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API.
About Rest API: The attacker could be at the client side, sometimes it compromise of your REST API and, where the victim is the REST API server, so the attacker can creates a rogue, malicious app. This is exact what Cisco is going to address.
Speculation: Hacker can exploit this way, java org.flowable.CallExternalSystemDelegate package to jar .
Affected Products : Software Release 4.1, 4.2, 4.3, or 4.4 when the REST API is enabled.
Remark: The REST API is not enabled by default.
Official announcement: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190507-esc-authbypass