Missing Authentication for Critical Function in Cisco Secure Client for Windows - CVE-2024-20391
Published: May 16, 2024
Vulnerability identifier: #VU89589
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-20391
CWE-ID: CWE-306
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Secure Client for Windows
Cisco Secure Client for Windows
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to a lack of authentication on a specific function in the Network Access Manager (NAM) module. An attacker with physical access can execute arbitrary code with SYSTEM privileges on the target device.
Remediation
Install updates from vendor's website.