CVE-2024-20501

EPSS 0.11%
Published 02.10.2024 19:15:14
Last modified 04.06.2025 21:15:36
Source psirt@cisco.com
Teams watchlist Login
Open Login

Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device.

 These vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.

 Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Meraki Mx65 Firmware Version >= 17.6.0 < 18.211.2

Cisco ≫ Meraki Mx65 Version-

Cisco ≫ Meraki Mx64 Firmware Version >= 17.6.0 <= 18.211.2

Cisco ≫ Meraki Mx64 Version-

Cisco ≫ Meraki Z4c Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z4c Version-

Cisco ≫ Meraki Z4 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z4 Version-

Cisco ≫ Meraki Z3c Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z3c Version-

Cisco ≫ Meraki Z3 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Z3 Version-

Cisco ≫ Meraki Vmx Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Vmx Version-

Cisco ≫ Meraki Mx600 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx600 Version-

Cisco ≫ Meraki Mx450 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx450 Version-

Cisco ≫ Meraki Mx400 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx400 Version-

Cisco ≫ Meraki Mx250 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx250 Version-

Cisco ≫ Meraki Mx105 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx105 Version-

Cisco ≫ Meraki Mx100 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx100 Version-

Cisco ≫ Meraki Mx95 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx95 Version-

Cisco ≫ Meraki Mx85 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx85 Version-

Cisco ≫ Meraki Mx84 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx84 Version-

Cisco ≫ Meraki Mx75 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx75 Version-

Cisco ≫ Meraki Mx68w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx68w Version-

Cisco ≫ Meraki Mx68cw Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx68cw Version-

Cisco ≫ Meraki Mx68 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx68 Version-

Cisco ≫ Meraki Mx67w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx67w Version-

Cisco ≫ Meraki Mx67c Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx67c Version-

Cisco ≫ Meraki Mx67 Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx67 Version-

Cisco ≫ Meraki Mx65w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx65w Version-

Cisco ≫ Meraki Mx64w Firmware Version >= 16.2 < 18.211.2

Cisco ≫ Meraki Mx64w Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.302

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
psirt@cisco.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-20501

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-20501

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-20501

EUVD