Cyber Resilience

CVE-2022-20933

High

Published: 26 October 2022

Published
26 October 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0046 64.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20933 is a high-severity Failure to Handle Missing Parameter (CWE-234) vulnerability in Cisco Meraki Mx64 Firmware. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 35.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z3 Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is…

more

due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this vulnerability by crafting a malicious request and sending it to the affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to crash and restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention. Cisco Meraki has released software updates that address this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
meraki mx64 firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx64w firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx65 firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx65w firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx67 firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx67cw firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx67w firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx68 firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx68cw firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
cisco
meraki mx68w firmware
16.2.0 — 16.16.6 · 17.0.0 — 17.10.1
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References