Cyber Resilience

CVE-2024-20432

CriticalRCE

Published: 02 October 2024

Published
02 October 2024
Modified
08 October 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0259 85.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20432 is a critical-severity Command Injection (CWE-77) vulnerability in Cisco Nexus Dashboard Fabric Controller. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device.   This vulnerability is due to improper…

more

user authorization and insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI. A successful exploit could allow the attacker to execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network-admin privileges.   Note: This vulnerability does not affect Cisco NDFC when it is configured for storage area network (SAN) controller deployment.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
nexus dashboard fabric controller
12.0.0 — 12.2.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References