Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Squashes High-Severity Bug in Web Protection Solution

Cisco has announced patches for a high-severity escalation of privilege vulnerability in AsyncOS for Cisco Secure Web Appliance.

Formerly Web Security Appliance (WSA), Cisco’s Secure Web Appliance is an enterprise protection solution designed to block risky sites and provide application visibility and control.

Cisco has announced patches for a high-severity escalation of privilege vulnerability in AsyncOS for Cisco Secure Web Appliance.

Formerly Web Security Appliance (WSA), Cisco’s Secure Web Appliance is an enterprise protection solution designed to block risky sites and provide application visibility and control.

Tracked as CVE-2022-20871, the newly addressed flaw can be exploited remotely to inject commands and escalate privileges to root, but requires authentication for successful exploitation.

According to Cisco, the security bug exists because user-supplied input for the web interface is not sufficiently validated.

“An attacker could exploit this vulnerability by authenticating to the system and sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root,” Cisco explains.

The tech giant also notes that the attacker needs to have at least read-only credentials to successfully exploit the issue.

Cisco has resolved the vulnerability with the release of AsyncOS for Secure Web Appliance version 14.5.0-537 and plans to release updates for versions 12.5 and 14.0 of the appliance as well.

There are no workarounds available to address the vulnerability and Cisco encourages customers to install the available patches as soon as possible.

Cisco says it is not aware of this vulnerability being exploited in malicious attacks.

Related: Cisco Patches High-Severity Vulnerability in Security Solutions

Related: Cisco Patches Critical Vulnerability in Email Security Appliance

Related: Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability

Related: Cisco Patches 11 High-Severity Vulnerabilities in Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.