CVE-2024-20295: Cisco Integrated Management Controller CLI Command Injection Vulnerability

Cisco has released updates to address a critical vulnerability in its Integrated Management Controller, which allows local attackers to elevate their privileges to the administrator level.

“A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device,” the company explained.

The issue, identified as CVE-2024-20295, is caused by insufficient validation of user-supplied data. This allows specially crafted commands to be used to carry out low-complexity attacks.

The list of devices at risk includes Cisco servers from the following series:

• 5000 Series Enterprise Network Compute Systems (ENCS);
• Catalyst 8300 Series Edge uCPE;
• UCS C-Series servers in standalone mode;
• UCS E-Series servers.

The Cisco Product Security Incident Response Team (PSIRT) warns that a proof-of-concept exploit is already publicly available, although active attacks have not yet been recorded.

Meanwhile, just a few days ago, the Cisco Talos division released a report on a widespread credential-stuffing campaign targeting VPN and SSH services on devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti.

The company has advised clients to take all possible measures to counter brute-force attacks on devices with remote access to VPN services configured.