Incorrect authorization in Cisco Systems, Inc products - CVE-2024-20510
Published: September 26, 2024
Vulnerability identifier: #VU97728
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-20510
CWE-ID: CWE-863
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Catalyst 9800-CL Wireless Controllers for Cloud
Catalyst 9800 Embedded Wireless Controller
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controllers on Catalyst Access Points
Cisco IOS XE
Catalyst 9800-CL Wireless Controllers for Cloud
Catalyst 9800 Embedded Wireless Controller
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controllers on Catalyst Access Points
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a logic error in the Central Web Authentication (CWA) feature. A remote attacker on the local network can bypass configured ACL protections on the target device before the user authentication is completed and access trusted networks that the device might be protecting.
How to mitigate CVE-2024-20510
Install updates from vendor's website.