More than 42 Cisco products might inherit the Apache Struts bug that emerged last week.

Last Tuesday, Semmle researchers revealed the bug, which lets an attacker send a crafted request to Struts' REST API to inject malicious code.

Like many vendors, Cisco long ago adopted the open-source Apache for its Web interfaces, and went to work identifying where the vulnerable Struts frameworks are in use.

To date, Switchzilla announced on Friday, it's found 42 products across a wide swathe of its portfolio.

Products in its collaboration and network management ranges, the Identity Services Engine, a bunch of Cisco Prime software, voice and unified communication, video and telepresence, and hosted services are currently under investigation.

Because the bug allows remote attackers to execute code – in this case, on sensitive kit – Cisco has assigned the “critical” tag to its advisory (in line with Apache).

Cisco says the advisory will be updated if and when it identifies vulnerable products, posts patches, or develops workarounds. ®