Cisco AsyncOS for Secure Web Appliance Vulnerability: Arbitrary Command Execution and Privilege Escalation
CVE-2024-20435

8.8HIGH

Key Information:

Vendor
Cisco
Status
Cisco Secure Web Appliance
Vendor
CVE Published:
17 July 2024

Summary

A vulnerability exists in the command-line interface (CLI) of Cisco AsyncOS for Secure Web Appliance, which could permit an authenticated local attacker to execute arbitrary commands and elevate privileges to root level. This issue stems from inadequate validation of user-supplied input within the CLI, allowing a malicious actor to authenticate to the system and run a specially crafted command. Successful exploitation would result in the attacker gaining the ability to execute any commands on the underlying operating system and escalate their privileges to root. The exploitation requires at least guest-level credentials.

Affected Version(s)

Cisco Secure Web Appliance 11.7.0-406

Cisco Secure Web Appliance 11.7.0-418

Cisco Secure Web Appliance 11.7.1-049

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.