CVE-2024-20306

Vulnerability

A command injection vulnerability exists in the Unified Threat Defense (UTD) configuration CLI of Cisco IOS XE Software, tracked as CVE-2024-20306 [1]. The flaw is caused by insufficient input validation of CLI commands submitted to the UTD component [1]. Affected versions include multiple releases of Cisco IOS XE Software with UTD enabled; precise version ranges are identified via the Cisco Software Checker [1].

Exploitation

An attacker must have level 15 (privileged EXEC) credentials on the affected device [1]. No network connectivity to the vulnerable CLI function beyond local console or SSH administrative access is required. The attacker submits a specially crafted CLI command to the UTD configuration interface, triggering the injection of arbitrary operating system commands [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with root privileges on the underlying host operating system, completely compromising the device's confidentiality, integrity, and availability [1].

Mitigation

Cisco has not yet released fixed versions at the time of this advisory [1]. Users should monitor the Cisco Security Advisories page for updates and consult the Cisco Software Checker to identify a first-fixed release when available [1]. No workarounds are disclosed; restricting level 15 access to trusted administrators is a recommended precaution [1].