CVE-2024-20280

MEDIUM

Cisco UCS Central Software - Info Disclosure

Title source: llm

Description

A vulnerability in the backup feature of Cisco UCS Central Software could allow an attacker with access to a backup file to learn sensitive information that is stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method that is used for the backup function. An attacker could exploit this vulnerability by accessing a backup file and leveraging a static key that is used for the backup configuration feature. A successful exploit could allow an attacker with access to a backup file to learn sensitive information that is stored in full state backup files and configuration backup files, such as local user credentials, authentication server passwords, Simple Network Management Protocol (SNMP) community names, and the device SSL server certificate and key.

References (1)

[Vendor Advisory] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsc-bkpsky-TgJ5f73J

Scores

CVSS v3 6.3

EPSS 0.0009

EPSS Percentile 25.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-321 CWE-798

Status published

Products (38)

cisco/ucs_central_software 1.0\(1a\)

cisco/ucs_central_software 1.1\(1a\)

cisco/ucs_central_software 1.1\(1b\)

cisco/ucs_central_software 1.1\(2a\)

cisco/ucs_central_software 1.2\(1a\)

cisco/ucs_central_software 1.2\(1d\)

cisco/ucs_central_software 1.2\(1e\)

cisco/ucs_central_software 1.2\(1f\)

cisco/ucs_central_software 1.3\(1a\)

cisco/ucs_central_software 1.3\(1b\)

... and 28 more

Published Oct 16, 2024

Tracked Since Feb 18, 2026