Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-20429

A vulnerability in the web-based management interface of Cisco AsyncOS for Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary system commands on an affected device. This vulnerability is due to insufficient input validation in certain portions of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To successfully exploit this vulnerability, an attacker would need at least valid Operator credentials.

Published

2024-07-17T17:15:14.497

Last Modified

2025-08-08T01:56:39.500

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	asyncos	11.0.3-238	Yes
Operating System	cisco	asyncos	11.1.0-069	Yes
Operating System	cisco	asyncos	11.1.0-128	Yes
Operating System	cisco	asyncos	11.1.0-131	Yes
Operating System	cisco	asyncos	12.0.0-419	Yes
Operating System	cisco	asyncos	12.1.0-071	Yes
Operating System	cisco	asyncos	12.1.0-087	Yes
Operating System	cisco	asyncos	12.1.0-089	Yes
Operating System	cisco	asyncos	12.5.0-066	Yes
Operating System	cisco	asyncos	12.5.3-041	Yes
Operating System	cisco	asyncos	12.5.4-041	Yes
Operating System	cisco	asyncos	13.0.0-392	Yes
Operating System	cisco	asyncos	13.0.5-007	Yes
Operating System	cisco	asyncos	13.5.1-277	Yes
Operating System	cisco	asyncos	13.5.4-038	Yes
Operating System	cisco	asyncos	14.0.0-698	Yes
Operating System	cisco	asyncos	14.2.0-620	Yes
Operating System	cisco	asyncos	14.2.1-020	Yes
Application	cisco	secure_email_gateway_virtual_appliance_c100v	-	No
Application	cisco	secure_email_gateway_virtual_appliance_c300v	-	No
Application	cisco	secure_email_gateway_virtual_appliance_c600v	-	No
Hardware	cisco	secure_email_gateway_c195	-	No
Hardware	cisco	secure_email_gateway_c395	-	No
Hardware	cisco	secure_email_gateway_c695	-	No

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-priv-esc-ssti-xNO2EOGZ Vendor Advisory ([email protected])
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-priv-esc-ssti-xNO2EOGZ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)