CVE-2024-20502

CWE-400 — Uncontrolled Resource Consumption CWE-415 CWE-639 — Insecure Direct Object Reference CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

7.5HIGH

EPSS

0.3%

top 42.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Meraki Mx100 Firmware Cisco Meraki Mx105 Firmware Cisco Meraki Mx250 Firmware +23 more

Timeline

PublishedOct 2

Description

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to insufficient resource management while establishing SSL VPN sessions. An attacker could exploit this vulnerability by sending a series of crafted HTTPS requests to the VPN server of an affected device. A successful exploit could allow the attacker to …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages26 packages

▶NVDcisco/meraki_z3_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z4_firmware16.2 — 18.211.2

▶NVDcisco/meraki_vmx_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z3c_firmware16.2 — 18.211.2

▶NVDcisco/meraki_z4c_firmware16.2 — 18.211.2

🔴Vulnerability Details

GHSA

GHSA-2r9m-635c-rmwj: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica↗2024-10-02

▶

CVEList

CVE-2024-20502: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica↗2024-10-02

▶

📋Vendor Advisories

Cisco

Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities↗2024-10-02

▶