Cisco has released an update to address a high-severity flaw found in the command line interface (CLI) of its Integrated Management Controller (IMC) used by several commercial-grade routers and switches.
The flaw, designated CVE-2024-20295, is due to insufficient validation of user-supplied input and can be exploited with simple CLI commands made by a threat actor with read-only or higher privileges on the affected device. Successful exploitation could allow the threat actor to conduct command injection attacks and escalate their privileges to the root level.
The vulnerability affects a lengthy list of Cisco products that run Cisco IMC or are configured to provide access to the IMC’s CLI. Users of the affected products are encouraged to install the security update as soon as possible.
While Cisco's Product Security Incident Response Team (PSIRT) warned that proof-of-concept exploit code is already available, it has not yet detected any threat actors targeting the vulnerability.
Source: Bleeping Computer
Analysis
Commercial-grade routers and switches, such as those impacted by CVE-2024-20295, are common targets for threat actors seeking initial access to networks of interest. Control of these devices could allow threat actors to gain access to more sensitive internal systems and accounts, launch adversary-in-the-middle attacks, or create denial-of-service conditions.
Threat actors can also alter the configuration of these routers to force unwitting users to websites under their control or to allow connections from suspicious IPs and processes that would otherwise have been blocked.
Given that exploit code is available, it’s likely only a matter of time before threat actors begin exploiting CVE-2024-20295.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats to devices such as those impacted by CVE-2024-20295. This research contributes to the timely deployment of signatures into Field Effect’s MDR to detect and mitigate these threats.
Field Effect MDR users were automatically notified if an impacted Cisco device was detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect recommends that all other users of the affected Cisco devices install the security update according to Cisco’s advisory as soon as possible.
Related Articles