Unauthenticated Attacker Could Bypass Pre-Authentication ACL in Cisco IOS XE Software for Wireless Controllers
CVE-2024-20510

9.3CRITICAL

Key Information:

Vendor: Cisco
Status: iOS Xe
Vendor: CVE Published:; 25 September 2024

Summary

A logic error present in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers poses a significant security risk by enabling unauthenticated adjacent attackers to bypass the pre-authentication access control list (ACL). This flaw arises during the activation of the pre-authentication ACL received from the authentication, authorization, and accounting (AAA) server. By exploiting this vulnerability, an attacker can connect to a wireless network configured for CWA and transmit traffic through a compromised device, circumventing the protections that should have been enforced by the ACL. This exploit can lead to unauthorized access to trusted network resources, posing a serious threat to network security.

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Sep 25, 2024