CVE-2024-20335

MEDIUM

Cisco Small Business - Command Injection

Title source: llm

Description

A vulnerability in the web-based management interface of Cisco Small Business 100, 300, and 500 Series Wireless APs could allow an authenticated, remote attacker to perform command injection attacks against an affected device. In order to exploit this vulnerability, the attacker must have valid administrative credentials for the device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB

Scores

CVSS v3 6.5

EPSS 0.0014

EPSS Percentile 32.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (12)

cisco/wap121_firmware

cisco/wap125_firmware

cisco/wap131_firmware

cisco/wap150_firmware

cisco/wap320_firmware

cisco/wap321_firmware

cisco/wap351_firmware

cisco/wap361_firmware

cisco/wap371_firmware

cisco/wap571_firmware

... and 2 more

Published Mar 06, 2024

Tracked Since Feb 18, 2026