CVE-2024-20509Race Condition in Cisco Meraki Mx100 Firmware

CWE-362Race Condition4 documents4 sources
Severity
5.9MEDIUMNVD
CNA5.8
EPSS
0.3%
top 50.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
26
Cisco Meraki Mx100 FirmwareCisco Meraki Mx105 FirmwareCisco Meraki Mx250 Firmware+23 more
Timeline
PublishedOct 2

Description

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to hijack an AnyConnect VPN session or cause a denial of service (DoS) condition for individual users of the AnyConnect VPN service on an affected device. This vulnerability is due to weak entropy for handlers that are used during the VPN authentication process as well as a race condition that exists in the same process. An att

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages26 packages

NVDcisco/meraki_z3_firmware16.218.211.2
NVDcisco/meraki_z4_firmware16.218.211.2
NVDcisco/meraki_vmx_firmware16.218.211.2
NVDcisco/meraki_z3c_firmware16.218.211.2
NVDcisco/meraki_z4c_firmware16.218.211.2

🔴Vulnerability Details

2
CVEList
CVE-2024-20509: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica2024-10-02
GHSA
GHSA-frxm-f6qg-2mch: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica2024-10-02

📋Vendor Advisories

1
Cisco
Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Session Takeover and Denial of Service Vulnerability2024-10-02
CVE-2024-20509 — Race Condition in Cisco | cvebase