The Cisco VPN 5000 series concentrator running firmware versions 6.0.21.0002 and 5.2.23.003 (and prior) sends the user's password in plain text to the RADIUS server in PAP authentication validation retry request packets. Attackers sniffing the network may be able to recover the user's password.