Cisco has released a Security Advisory regarding a vulnerability that exists in some versions of their Secure ACS software. The vulnerability allows a remote, unauthenticated user to change the password of any user account without knowing the previous password. This doesn't apply to certain accounts such as "off box" authenticated accounts like LDAP or RADIUS. Also, it doesn't affect ACS system admin accounts; only user accounts are affected. However, the risk of someone taking control of an account with level 15 access to a Cisco device warrants fixing this right away.
Affected versions are Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (not patch 6), or Cisco Secure ACS version 5.2 with no patches or patches 1 and 2 (not patch 3). If you are still running version 4.x, you aren't vulnerable to this attack.