CVE-2022-20933
published 2022-10-26CVE-2022-20933: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote…
PriorityP278high8.6CVSS 3.1
AVNACLPRNUINSCCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.99%
58.2th percentile
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention. Cisco Meraki has released software updates that address this vulnerability.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_meraki_mx_firmware | — | — |
| cisco | meraki_mx100_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx100_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx105_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx105_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx250_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx250_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx400_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx400_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx450_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx450_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx600_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx600_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx64_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx64_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx64w_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx64w_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx65_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx65_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx65w_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx65w_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx67_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx67_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
| cisco | meraki_mx67cw_firmware | >= 16.2.0 < 16.16.6 | 16.16.6 |
| cisco | meraki_mx67cw_firmware | >= 17.0.0 < 17.10.1 | 17.10.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the Cisco AnyConnect VPN server (SSL VPN) on Cisco Meraki MX and Z3 Teleworker Gateway devices; look for malformed/crafted requests during SSL VPN session establishment that cause the VPN server process to crash and restart ↗
- →Monitor for repeated SSL VPN session establishment attempts with anomalous or malformed client-supplied parameters, particularly patterns that correlate with VPN server restarts or mass disconnection of established SSL VPN sessions ↗
- →A sustained attack pattern (repeated malicious requests) preventing new SSL VPN connections from being established can be an indicator; alert on high-frequency connection attempts to the AnyConnect VPN endpoint from unauthenticated sources ↗
- ·No workarounds are available for this vulnerability; the only remediation is applying the Cisco Meraki software updates ↗
- ·The AnyConnect VPN server self-recovers after attack traffic stops — no manual intervention is needed, but this also means the DoS is transient and may be harder to correlate post-incident without logging ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vulncheck8.6HIGH
vendor_cisco8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
vendor_cisco·2022-10-19·CVSS 8.6
CVE-2022-20933 [HIGH] CWE-234 Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticat
Cisco
Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
vendor_cisco·CVSS 3.1
CVE-2022-20933 Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
CVE-2022-20933: Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and
GHSA
GHSA-9vrx-xfr3-hfjj: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, r
ghsa_unreviewed·2022-10-26
CVE-2022-20933 [HIGH] GHSA-9vrx-xfr3-hfjj: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, r
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being establish
VulnCheck
Cisco meraki_mx64_firmware Failure to Handle Missing Parameter
vulncheck·2022·CVSS 8.6
CVE-2022-20933 [HIGH] Cisco meraki_mx64_firmware Failure to Handle Missing Parameter
Cisco meraki_mx64_firmware Failure to Handle Missing Parameter
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-26
Published
Exploited in the wild