Cisco discloses high-severity vulnerability, PoC available

The security vendor released fixes for a vulnerability that affects Cisco Integrated Management Controller, which is used by devices including routers and servers.

Cisco disclosed a high-severity vulnerability that could allow an attacker to gain root access to a victim's operating system.

In a security advisory Wednesday, Cisco detailed a command injection vulnerability, tracked as CVE-2024-20295, that affects the CLI of the Cisco Integrated Management Controller (IMC). The CLI is used to configure, monitor and maintain Cisco devices, while IMC is a baseboard management controller that helps enterprises manage servers. Cisco credited security researcher James Muller for reporting the vulnerability.

Cisco said in its advisory that CVE-2024-20295, which received a CVSS score of 8.8, could allow an authenticated, local attacker to elevate privileges to root. Cisco warned that a proof-of-concept (PoC) exploit is publicly available, but added that the Cisco Product Security Incident Response Team "is not aware of any malicious use of the vulnerability that is described in this advisory."

Recent malicious activity shows threat actors are quick to exploit a vulnerability following PoC availability. For example, in February, attackers attempted to exploit a critical Fortinet FortiNAC web server vulnerability just hours after a PoC was published on GitHub. However, it appears that is not the case for the Cisco flaw just yet.

Affected products include the 5000 Series Enterprise Network Compute Systems, Catalyst 8300 Series Edge uCPE, UCS C-Series rack servers in standalone mode and UCS E-Series servers. Furthermore, "Cisco appliances that are based on a preconfigured version of a Cisco UCS C-Series Server are also affected if they expose access to the Cisco IMC CLI," the advisory read.

While attackers could gain access to sensitive information, there are caveats that make it more difficult. For example, an attacker must be authenticated and local. Cisco also stressed that an attacker must have read-only or higher privileges on an affected device. To exploit the flaw, an attacker must submit a crafted CLI command.

Cisco released software updates to address the vulnerability and urged users to upgrade to the fixed versions. However, the vendor offered no workarounds.

Cisco had not responded to TechTarget Editorial's request for comment at press time.

Cisco products have proven to be popular targets for threat actors over the last year. In September, attackers exploited two separate Cisco zero-day vulnerabilities; both involved software used for VPNs. One was an out-of-bounds write vulnerability that could allow an attacker to gain full control of the vendor's Group Encrypted Transport VPN product. For the other, Cisco disclosed that the Akira ransomware group exploited a zero-day flaw that could allow attackers to remotely access VPN features in Cisco's Adaptive Security Appliance and Firepower Threat Defense software.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Network security