CVE-2024-20391

CWE-306 — Missing Authentication4 documents4 sources

Severity

6.8MEDIUM

EPSS

0.4%

top 42.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Secure Client Cisco Cisco Secure Client

Timeline

PublishedMay 15

Description

A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. This vulnerability is due to a lack of authentication on a specific function. A successful exploit could allow the attacker to execute arbitrary code with SYSTEM privileges on an affected device.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶NVDcisco/secure_client< 5.1.3.62

▶CVEListV5cisco/cisco_secure_client37 versions+36

🔴Vulnerability Details

CVEList

CVE-2024-20391: A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an a↗2024-05-15

▶

GHSA

GHSA-gmvc-mphj-2pr4: A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an a↗2024-05-15

▶

📋Vendor Advisories

Cisco

Cisco Secure Client for Windows with Network Access Manager Module Privilege Escalation Vulnerability↗2024-05-15

▶