CVE-2024-20263

CWE-284 — Improper Access Control4 documents4 sources

Severity

7.2HIGH

EPSS

0.0%

top 97.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Cbs250-16p-2g Firmware Cisco Cbs250-16t-2g Firmware Cisco Cbs250-24fp-4g Firmware +83 more

Timeline

PublishedJan 26

Description

A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. This vulnerability is due to incorrect processing of ACLs on a stacked configuration when either the primary or backup switches experience a full stack reload or power cycle. An attacker could ex…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages86 packages

▶CVEListV5cisco/cisco_small_business_smart_and_managed_switches34 versions+33

▶NVDcisco/sf550x-24_firmware2.5 — 2.5.9.54

▶NVDcisco/sf550x-48_firmware2.5 — 2.5.9.54

▶NVDcisco/sg350x-24_firmware2.5 — 2.5.9.54

▶NVDcisco/sg350x-48_firmware2.5 — 2.5.9.54

🔴Vulnerability Details

CVEList

CVE-2024-20263: A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Bu↗2024-01-26

▶

GHSA

GHSA-h49c-jgw7-9grp: A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Bu↗2024-01-26

▶

📋Vendor Advisories

Cisco

Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability↗2024-01-24

▶