CVE-2024-20429

A vulnerability in the web-based management interface of Cisco AsyncOS for Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary system commands on an affected device.

This vulnerability is due to insufficient input validation in certain portions of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To successfully exploit this vulnerability, an attacker would need at least valid Operator credentials.

Published: Jul 17, 2024
Updated: Aug 9, 2025
CVE: CVE-2024-20429
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
cisco / asyncos	11.0.3-238	11.0.3-238.x
cisco / asyncos	11.1.0-069	11.1.0-069.x
cisco / asyncos	11.1.0-128	11.1.0-128.x
cisco / asyncos	11.1.0-131	11.1.0-131.x
cisco / asyncos	12.0.0-419	12.0.0-419.x
cisco / asyncos	12.1.0-071	12.1.0-071.x
cisco / asyncos	12.1.0-087	12.1.0-087.x
cisco / asyncos	12.1.0-089	12.1.0-089.x
cisco / asyncos	12.5.0-066	12.5.0-066.x
cisco / asyncos	12.5.3-041	12.5.3-041.x
cisco / asyncos	12.5.4-041	12.5.4-041.x
cisco / asyncos	13.0.0-392	13.0.0-392.x
cisco / asyncos	13.0.5-007	13.0.5-007.x
cisco / asyncos	13.5.1-277	13.5.1-277.x
cisco / asyncos	13.5.4-038	13.5.4-038.x
cisco / asyncos	14.0.0-698	14.0.0-698.x
cisco / asyncos	14.2.0-620	14.2.0-620.x
cisco / asyncos	14.2.1-020	14.2.1-020.x

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-priv-esc-ssti-xNO2EOGZ

Vulnerability Database

CVE-2024-20429