Cisco AsyncOS for Secure Email Gateway Vulnerability Could Lead to Arbitrary System Command Execution
CVE-2024-20429

7.2HIGH

Key Information:

Vendor: Cisco
Status: Cisco Secure Email
Vendor: CVE Published:; 17 July 2024

What is CVE-2024-20429?

A vulnerability exists within the web-based management interface of Cisco AsyncOS for Secure Email Gateway, resulting from inadequate input validation. This flaw allows an authenticated remote attacker to execute arbitrary system commands on the affected device. By sending a specially crafted HTTP request to the device, an attacker with valid Operator credentials can gain unauthorized access to the underlying operating system, potentially leading to critical system compromises. Cisco has released an advisory detailing the specifics of this vulnerability and recommending immediate updates to affected products.

Affected Version(s)

Cisco Secure Email 11.0.3-238

Cisco Secure Email 11.1.0-069

Cisco Secure Email 11.1.0-131

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2024
Vulnerability Reserved
Nov 8, 2023