The list of Cisco products considered vulnerable to the subject bug now appears to include ESA and SMA boxes:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
The article on The Register that led me there states that only Cloud and CRES customers are at risk.
Could we have some clarification on this?
If ESA tin is vulnerable, are there any obvious points that might reassure us?