CVE-2024-20391

Summary

A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. This vulnerability is due to a lack of authentication on a specific function. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges on an affected device.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Client4.9.00086affected
CiscoCisco Secure Client4.9.01095affected
CiscoCisco Secure Client4.9.02028affected
CiscoCisco Secure Client4.9.03047affected
CiscoCisco Secure Client4.9.03049affected
CiscoCisco Secure Client4.9.04043affected
CiscoCisco Secure Client4.9.04053affected
CiscoCisco Secure Client4.9.05042affected
CiscoCisco Secure Client4.9.06037affected
CiscoCisco Secure Client4.10.00093affected
CiscoCisco Secure Client4.10.01075affected
CiscoCisco Secure Client4.10.02086affected
CiscoCisco Secure Client4.10.03104affected
CiscoCisco Secure Client4.10.04065affected
CiscoCisco Secure Client4.10.04071affected
CiscoCisco Secure Client4.10.05085affected
CiscoCisco Secure Client4.10.05095affected
CiscoCisco Secure Client4.10.05111affected
CiscoCisco Secure Client4.10.06079affected
CiscoCisco Secure Client4.10.06090affected
CiscoCisco Secure Client4.10.07061affected
CiscoCisco Secure Client4.10.07062affected
CiscoCisco Secure Client4.10.07073affected
CiscoCisco Secure Client4.10.08025affected
CiscoCisco Secure Client4.10.08029affected
CiscoCisco Secure Client5.0.00238affected
CiscoCisco Secure Client5.0.00529affected
CiscoCisco Secure Client5.0.00556affected
CiscoCisco Secure Client5.0.01242affected
CiscoCisco Secure Client5.0.02075affected
CiscoCisco Secure Client5.0.03072affected
CiscoCisco Secure Client5.0.03076affected
CiscoCisco Secure Client5.0.04032affected
CiscoCisco Secure Client5.0.05040affected
CiscoCisco Secure Client5.1.0.136affected
CiscoCisco Secure Client5.1.1.42affected
CiscoCisco Secure Client5.1.2.42affected

Weaknesses

  • CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References