Sabtrax Sabtrax

Cybersecurity Threat Advisory: Cisco patches high-severity bug

Cybersecurity Threat Advisory: Cisco patches high-severity bug

Cybersecurity Threat Advisory

Cybersecurity Threat Advisory

Cisco has released security updates for a vulnerability affecting its Secure Client software. Successful exploitation could allow threat actors to steal a targeted user’s token and establish a virtual private network (VPN) session. The vulnerability tracked as CVE-2024-20337 has a CVSS score of 8.2, which is considered high risk. Organizations running the vulnerable versions (listed below in this Cybersecurity Threat Advisory) are encouraged to apply the latest patch immediately.

What is the threat?

This high-severity flaw can lead to a carriage return line feed (CRLF) injection attack. This attack type allows for code execution and unauthorized remote access to VPN sessions. Since user-supplied input is insufficiently validated, attackers can trick users into clicking a crafted link while establishing a VPN session, which would then execute arbitrary scripts in the victim’s browser or access sensitive information.

Why is it noteworthy?

This vulnerability affects the Cisco Secure Client for Windows, Linux, and macOS. A successful exploit could allow the attacker to execute arbitrary script code on the browser or access sensitive, browser-based information, including a valid Security Assertion Markup Language (SAML) token.

What is the exposure or risk?

Once an attacker gains access to the SAML tokens, they can then be used to establish remote access VPN sessions with the affected user’s privilege to access local internal networks when a victim visits a website under their control. Cisco did mention that in the case where an attacker is attempting to reach individual hosts and services behind the VPN headend, they are required to have additional credentials before successful access is granted.

What are the recommendations?

Barracuda MSP recommends the following actions to mitigate the effects of CVE-2024-20337:

  • Determine whether the VPN headend is configured to use the SAML External Browser Feature by using the show running-config tunnel-group command in the Cisco ASA or FTD CLI. The displayed results will indicate if the SAML External Browser feature is enabled.
  • To make sure their endpoints are secure, IT teams should update their software accordingly based on the version information below:
Cisco Secure Client ReleaseFirst Fixed Release
Earlier than 4.10.04065Not vulnerable.
4.10.04065 and later4.10.08025
5.0Migrate to a fixed release.


For more in-depth information on the recommendations, please visit the following links:

If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

Go to Source

Share Post :