CVE-2024-20435

Vulnerability

A vulnerability in the CLI of Cisco AsyncOS for Secure Web Appliance arises from insufficient validation of user-supplied input. This allows an authenticated local attacker to inject arbitrary commands. The affected product is Cisco AsyncOS for Secure Web Appliance; specific version details are available in the Cisco advisory [1]. At minimum, guest credentials are required to reach the vulnerable code path.

Exploitation

An attacker must first authenticate to the system with at least guest-level credentials. After authentication, the attacker executes a crafted command on the CLI that triggers the command injection. The attacker does not require any additional privileges or network access beyond local CLI access.

Impact

Successful exploitation enables the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. This results in full compromise of the affected device, including complete control over the system’s operations and data.

Mitigation

Cisco has released free software updates to address this vulnerability. Affected users should upgrade to a fixed version as specified in the Cisco security advisory [1]. No workarounds are documented in the available reference. Customers with service contracts can obtain updates through their usual channels; others should contact Cisco TAC.