CVE-2024-20435

Summary

A vulnerability in the CLI of Cisco AsyncOS for Secure Web Appliance could allow an authenticated, local attacker to execute arbitrary commands and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the CLI. An attacker could exploit this vulnerability by authenticating to the system and executing a crafted command on the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. To successfully exploit this vulnerability, an attacker would need at least guest credentials.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Web Appliance11.7.0-406affected
CiscoCisco Secure Web Appliance11.7.0-418affected
CiscoCisco Secure Web Appliance11.7.1-049affected
CiscoCisco Secure Web Appliance11.7.1-006affected
CiscoCisco Secure Web Appliance11.7.1-020affected
CiscoCisco Secure Web Appliance11.7.2-011affected
CiscoCisco Secure Web Appliance11.8.0-414affected
CiscoCisco Secure Web Appliance11.8.1-023affected
CiscoCisco Secure Web Appliance11.8.3-018affected
CiscoCisco Secure Web Appliance11.8.3-021affected
CiscoCisco Secure Web Appliance12.0.1-268affected
CiscoCisco Secure Web Appliance12.0.3-007affected
CiscoCisco Secure Web Appliance12.5.2-007affected
CiscoCisco Secure Web Appliance12.5.1-011affected
CiscoCisco Secure Web Appliance12.5.4-005affected
CiscoCisco Secure Web Appliance12.5.5-004affected
CiscoCisco Secure Web Appliance12.5.6-008affected
CiscoCisco Secure Web Appliance14.5.0-498affected
CiscoCisco Secure Web Appliance14.5.1-016affected
CiscoCisco Secure Web Appliance14.5.2-011affected
CiscoCisco Secure Web Appliance14.0.3-014affected
CiscoCisco Secure Web Appliance14.0.2-012affected
CiscoCisco Secure Web Appliance14.0.4-005affected
CiscoCisco Secure Web Appliance14.0.5-007affected
CiscoCisco Secure Web Appliance15.0.0-322affected
CiscoCisco Secure Web Appliance15.0.0-355affected
CiscoCisco Secure Web Appliance15.1.0-287affected

Weaknesses

  • CWE-250: Execution with Unnecessary Privileges

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References