⚠ Actively exploited
Added to CISA KEV on 2023-10-10. Federal agencies required to patch by 2023-10-31. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2023-20109 — Out-of-bounds Write in Cisco IOS XE Software
Severity
6.6MEDIUMNVD
EPSS
0.6%
top 29.64%
CISA KEV
KEV
Added 2023-10-10
Due 2023-10-31
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedSep 27
KEV addedOct 10
KEV dueOct 31
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash.
This vulnerability is due to insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could exp…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9
Affected Packages4 packages
🔴Vulnerability Details
3GHSA▶
GHSA-7h8h-8482-vvfh: A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authentica↗2023-09-27
CVEList▶
CVE-2023-20109: A vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software could allow an authentica↗2023-09-27