CVE-2024-20401
Published: 17 July 2024
Summary
CVE-2024-20401 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Cisco Secure Email Gateway. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway allows an unauthenticated remote attacker to overwrite arbitrary files on the underlying operating system. The issue stems from improper handling of email attachments when file analysis and content filters are enabled, and it is tracked under CWE-36 with a CVSS 3.1 score of 9.8.
An attacker can exploit the flaw simply by sending a crafted email attachment through an affected device. Successful exploitation permits replacement of any file on the file system, enabling actions such as adding root-privileged users, altering device configuration, executing arbitrary code, or inducing a permanent denial-of-service condition that requires manual recovery via Cisco TAC.
The Cisco Security Advisory cisco-sa-esa-afw-bGG2UsjH details mitigation steps and is available at the vendor's security center.
EPSS for this CVE rose from lower values to a peak of 0.1391 before receding to the current score of 0.0766, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18116
Vulnerability details
A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system. This vulnerability is due to improper handling of email attachments…
more
when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device. Note: Manual intervention is required to recover from the DoS condition. Customers are advised to contact the Cisco Technical Assistance Center (TAC) to help recover a device in this condition.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.