#VU94505 Path traversal in Secure Email Gateway and Cisco AsyncOS for Secure Email Gateway - CVE-2024-20401
Published: July 17, 2024
Vulnerability identifier: #VU94505
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Red
CVE-ID: CVE-2024-20401
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Secure Email Gateway
Cisco AsyncOS for Secure Email Gateway
Secure Email Gateway
Cisco AsyncOS for Secure Email Gateway
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when processing email attachments if file analysis and content filters are enabled. A remote attacker can send a specially crafted email attachment and overwrite arbitrary files on the system with root privileges.
Successful exploitation of the vulnerability may result in complete system compromise.
Remediation
Install update from vendor's website.