CVE-2024-20501

CWE-787 — Out-of-bounds Write CWE-400 — Uncontrolled Resource Consumption CWE-415 CWE-639 — Insecure Direct Object Reference4 documents4 sources

Severity

7.5HIGH

EPSS

0.5%

top 35.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Meraki Mx100 Firmware Cisco Meraki Mx105 Firmware Cisco Meraki Mx250 Firmware +23 more

Timeline

PublishedOct 2

Description

Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device. These vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected dev…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages26 packages

▶NVDcisco/meraki_z3_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z4_firmware16.2 — 18.211.2

▶NVDcisco/meraki_vmx_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z3c_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z4c_firmware16.2 — 18.211.2

🔴Vulnerability Details

GHSA

GHSA-56gq-526p-7vqp: Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an una↗2024-10-02

▶

CVEList

CVE-2024-20501: Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an una↗2024-10-02

▶

📋Vendor Advisories

Cisco

Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities↗2024-10-02

▶