To exploit this vulnerability, an attacker must be able to make authentication attempts to the vulnerable system using the name of an existing administrative account. The attacker must know the account name before the attack. The attacker may also require access to internal networks to send the authentication request, which could reduce the potential for exploitation.
If an exploit is successful, the attacker could bypass authentication and access restricted resources. The attacker could completely compromise systems protected by the ISA Server.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the July 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2009
The update available from Microsoft corrects this vulnerability by rejecting authentication requests that cannot be processed by Radius OTP.