CVE-2024-20435

HIGH

Cisco AsyncOS - Command Injection

Title source: llm

Description

A vulnerability in the CLI of Cisco AsyncOS for Secure Web Appliance could allow an authenticated, local attacker to execute arbitrary commands and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the CLI. An attacker could exploit this vulnerability by authenticating to the system and executing a crafted command on the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. To successfully exploit this vulnerability, an attacker would need at least guest credentials.

References (1)

[Vendor Advisory] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-priv-esc-7uHpZsCC

Scores

CVSS v3 8.8

EPSS 0.0010

EPSS Percentile 27.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-250

Status published

Products (27)

cisco/asyncos 11.7.0-406

cisco/asyncos 11.7.0-418

cisco/asyncos 11.7.1-006

cisco/asyncos 11.7.1-020

cisco/asyncos 11.7.1-049

cisco/asyncos 11.7.2-011

cisco/asyncos 11.8.0-414

cisco/asyncos 11.8.1-023

cisco/asyncos 11.8.3-018

cisco/asyncos 11.8.3-021

... and 17 more

Published Jul 17, 2024

Tracked Since Feb 18, 2026