CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Vulnerability in Industrial Networking Solution

A critical vulnerability in Cisco Unified Industrial Wireless software could allow remote, unauthenticated attackers to inject commands with root privileges.

Cisco on Wednesday announced patches for dozens of vulnerabilities in its enterprise products, including a critical-severity flaw in Unified Industrial Wireless software.

The critical bug, tracked as CVE-2024-20418 (CVSS score of 10/10), allows a remote, unauthenticated attacker to inject commands on the underlying operating system, with root privileges.

The issue exists because the web-based management interface of the industrial networking solution does not properly validate input, allowing an attacker to send crafted HTTP requests.

“A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device,” Cisco notes in its advisory.

The security defect affects the company’s Catalyst IW9165D, IW9165E, and IW9167E access points that have the Ultra-Reliable Wireless Backhaul (URWB) operating mode enabled.

Patches for the vulnerability were included in Unified Industrial Wireless software version 17.15.1. Owners of devices running version 17.14 and earlier of the software are advised to migrate to the patched release.

The tech giant also announced fixes for CVE-2024-20536, a high-severity bug in the Nexus Dashboard Fabric Controller (NDFC) that could be exploited for arbitrary SQL command execution.

Insufficient validation of user-supplied input could allow a remote, authenticated attacker to send a crafted request to a specific REST API endpoint or to NDFC’s web-based management interface and read, modify, or delete arbitrary data on an internal database.

Advertisement. Scroll to continue reading.

Another high-severity flaw resolved on Wednesday, tracked as CVE-2024-20484 and affecting the Enterprise Chat and Email (ECE), could allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

Insufficient validation of specific traffic could allow an attacker to send crafted traffic to an affected device and trigger a connection failure that would lead to DoS, preventing “customers from starting chat, callback, or delayed callback sessions”. The impacted process would require a manual restart, Cisco explains.

On Wednesday, the tech giant also announced patches for nearly two dozen medium-severity bugs in various enterprise communication and access and networking management solutions.

Cisco says it is not aware of any of the fixed vulnerabilities being exploited in the wild. Additional information can be found on Cisco’s security advisories page.

Related: Researcher Discloses 36 Vulnerabilities Found in IBM Security Verify Access

Related: F5 BIG-IP Updates Patch High-Severity Elevation of Privilege Vulnerability

Related: Unpatched Vulnerability Exposes Horde Webmail Servers to Attacks

Related: Critical Vulnerabilities Patched in Cisco SD-WAN, DNA Center Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.