Cisco AsyncOS for Cisco Secure Web Appliance Vulnerability
CVE-2022-20871

6.3MEDIUM

Key Information:

Vendor
Cisco
Status
Cisco Secure Web Appliance
Vendor
CVE Published:
15 November 2024

Summary

A security vulnerability in the web management interface of Cisco Secure Web Appliance could enable an authenticated remote attacker to perform command injection and escalate privileges. This issue arises from insufficient validation of user-supplied input. By authenticating to the device and sending specifically crafted HTTP packets, an attacker may gain the ability to execute arbitrary commands at the root level of the operating system. The requirement for at least read-only credentials makes this vulnerability critical for those with limited access. Cisco has issued software updates to remediate this vulnerability, while currently, no workarounds exist.

Affected Version(s)

Cisco Secure Web Appliance 12.5.3-002

Cisco Secure Web Appliance 14.1.0-032

Cisco Secure Web Appliance 14.1.0-047

References

https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.