CVE-2024-20435

A vulnerability in the CLI of Cisco AsyncOS for Secure Web Appliance could allow an authenticated, local attacker to execute arbitrary commands and elevate privileges to root.

 This vulnerability is due to insufficient validation of user-supplied input for the CLI. An attacker could exploit this vulnerability by authenticating to the system and executing a crafted command on the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. To successfully exploit this vulnerability, an attacker would need at least guest credentials.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ciscoCNA
8.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
ciscoasyncos
11.7.0-406
ciscoasyncos
11.7.0-418
ciscoasyncos
11.7.1-006
ciscoasyncos
11.7.1-020
ciscoasyncos
11.7.1-049
ciscoasyncos
11.7.2-011
ciscoasyncos
11.8.0-414
ciscoasyncos
11.8.1-023
ciscoasyncos
11.8.3-018
ciscoasyncos
11.8.3-021
ciscoasyncos
12.0.1-268
ciscoasyncos
12.0.3-007
ciscoasyncos
12.5.1-011
ciscoasyncos
12.5.2-007
ciscoasyncos
12.5.4-005
ciscoasyncos
12.5.5-004
ciscoasyncos
12.5.6-008
ciscoasyncos
14.0.2-012
ciscoasyncos
14.0.3-014
ciscoasyncos
14.0.4-005
ciscoasyncos
14.0.5-007
ciscoasyncos
14.5.0-498
ciscoasyncos
14.5.1-016
ciscoasyncos
14.5.2-011
ciscoasyncos
15.0.0-322
ciscoasyncos
15.0.0-355
ciscoasyncos
15.1.0-287
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-priv-esc-7uHpZsCC
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-priv-esc-7uHpZsCC