CVE-2024-20429

Summary

A vulnerability in the web-based management interface of Cisco AsyncOS for Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary system commands on an affected device. This vulnerability is due to insufficient input validation in certain portions of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To successfully exploit this vulnerability, an attacker would need at least valid Operator credentials.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Email11.0.3-238affected
CiscoCisco Secure Email11.1.0-069affected
CiscoCisco Secure Email11.1.0-131affected
CiscoCisco Secure Email11.1.0-128affected
CiscoCisco Secure Email12.0.0-419affected
CiscoCisco Secure Email12.1.0-071affected
CiscoCisco Secure Email12.1.0-087affected
CiscoCisco Secure Email12.1.0-089affected
CiscoCisco Secure Email13.0.0-392affected
CiscoCisco Secure Email13.0.5-007affected
CiscoCisco Secure Email13.5.1-277affected
CiscoCisco Secure Email13.5.4-038affected
CiscoCisco Secure Email12.5.0-066affected
CiscoCisco Secure Email12.5.4-041affected
CiscoCisco Secure Email12.5.3-041affected
CiscoCisco Secure Email14.0.0-698affected
CiscoCisco Secure Email14.2.0-620affected
CiscoCisco Secure Email14.2.1-020affected

Weaknesses

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References