Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-20499

Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device. These vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.

Published

2024-10-02T19:15:14.143

Last Modified

2025-06-04T21:15:36.380

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.6 (HIGH)

Weaknesses

Type: Secondary
CWE-787
Type: Primary
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	cisco	meraki_z4c_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_z4c	-	No
Operating System	cisco	meraki_z4_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_z4	-	No
Operating System	cisco	meraki_z3c_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_z3c	-	No
Operating System	cisco	meraki_z3_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_z3	-	No
Operating System	cisco	meraki_vmx_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_vmx	-	No
Operating System	cisco	meraki_mx600_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx600	-	No
Operating System	cisco	meraki_mx450_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx450	-	No
Operating System	cisco	meraki_mx400_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx400	-	No
Operating System	cisco	meraki_mx250_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx250	-	No
Operating System	cisco	meraki_mx105_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx105	-	No
Operating System	cisco	meraki_mx100_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx100	-	No
Operating System	cisco	meraki_mx95_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx95	-	No
Operating System	cisco	meraki_mx85_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx85	-	No
Operating System	cisco	meraki_mx84_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx84	-	No
Operating System	cisco	meraki_mx75_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx75	-	No
Operating System	cisco	meraki_mx68w_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx68w	-	No
Operating System	cisco	meraki_mx68cw_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx68cw	-	No
Operating System	cisco	meraki_mx68_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx68	-	No
Operating System	cisco	meraki_mx67w_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx67w	-	No
Operating System	cisco	meraki_mx67c_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx67c	-	No
Operating System	cisco	meraki_mx67_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx67	-	No
Operating System	cisco	meraki_mx65w_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx65w	-	No
Operating System	cisco	meraki_mx65_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx65	-	No
Operating System	cisco	meraki_mx64w_firmware	< 18.211.2	Yes
Hardware	cisco	meraki_mx64w	-	No
Operating System	cisco	meraki_mx64_firmware	≤ 18.211.2	Yes
Hardware	cisco	meraki_mx64	-	No

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2 Vendor Advisory ([email protected])