Cyber Resilience

CVE-2024-20359

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 April 2024

Published
24 April 2024
Modified
28 October 2025
KEV Added
24 April 2024
Patch
CVSS Score v3.1 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0014 33.7th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20359 is a medium-severity Code Injection (CWE-94) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.0 (Medium).

Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in a legacy capability for preloading VPN clients and plug-ins affects Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The issue stems from improper validation of files read from system flash memory and could permit an authenticated local attacker to execute arbitrary code with root-level privileges after a device reload. Administrator privileges are required, and the injected code can persist across reboots, prompting Cisco to raise the Security Impact Rating from Medium to High. The flaw carries a CVSS 3.1 score of 6.0 and is associated with CWE-94.

An attacker with local administrative access can exploit the vulnerability by placing a crafted file on the disk0: file system of an affected device. Successful exploitation allows arbitrary code execution on the next reload, enabling alteration of system behavior that survives reboots.

Cisco has published a security advisory detailing the issue, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score rose materially from a low baseline to a peak of 0.0118 on 2024-04-25 before receding, indicating post-disclosure exploitation interest.

A Talos Intelligence report links the vulnerability to the ArcaneDoor espionage campaign targeting perimeter network devices.

EU & UK References

Vulnerability details

A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local…

more

attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

CWE(s)
KEV Date Added
24 April 2024

Related Threats

Threat-Actor AttributionAI

ArcaneDoor (C0046)
Talos blog reports ArcaneDoor espionage campaign exploited this Cisco ASA/FTD persistence RCE (and related CVE) in perimeter devices.

Affected Assets

cisco
adaptive security appliance software
9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1
cisco
firepower threat defense
6.2.3, 6.2.3.1, 6.2.3.10, 6.2.3.11, 6.2.3.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remove the legacy VPN preloading mechanism and eliminate the improper file-validation flaw.

prevent

Mandates disabling or removing non-essential legacy capabilities (the VPN client/plug-in preloader) so the vulnerable code path no longer exists.

detect

Requires integrity verification of files read from flash (disk0:) to detect the crafted file before the next reload executes the injected code.

References