CVE-2024-20437

A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack and execute commands on the CLI of an affected device.

This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an already authenticated user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the targeted user.

Published: Sep 25, 2024
Updated: May 4, 2025
CVE: CVE-2024-20437
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
cisco / ios_xe	17.4.1	17.4.1.x
cisco / ios_xe	17.4.1a	17.4.1a.x
cisco / ios_xe	17.3.2	17.3.2.x
cisco / ios_xe	17.4.1b	17.4.1b.x
cisco / ios_xe	17.3.2a	17.3.2a.x
cisco / ios_xe	17.5.1	17.5.1.x
cisco / ios_xe	17.6.3	17.6.3.x
cisco / ios_xe	17.6.1a	17.6.1a.x
cisco / ios_xe	17.6.1w	17.6.1w.x
cisco / ios_xe	17.6.1	17.6.1.x
cisco / ios_xe	17.5.1a	17.5.1a.x
cisco / ios_xe	17.4.2a	17.4.2a.x
cisco / ios_xe	17.4.2	17.4.2.x
cisco / ios_xe	17.3.4c	17.3.4c.x
cisco / ios_xe	17.3.4b	17.3.4b.x
cisco / ios_xe	17.3.4a	17.3.4a.x
cisco / ios_xe	17.3.4	17.3.4.x
cisco / ios_xe	17.3.3	17.3.3.x
cisco / ios_xe	17.11.1	17.11.1.x
cisco / ios_xe	17.9.1a	17.9.1a.x
cisco / ios_xe	17.9.1w	17.9.1w.x
cisco / ios_xe	17.9.1	17.9.1.x
cisco / ios_xe	17.8.1a	17.8.1a.x
cisco / ios_xe	17.8.1	17.8.1.x
cisco / ios_xe	17.10.1	17.10.1.x
cisco / ios_xe	17.7.2	17.7.2.x
cisco / ios_xe	17.7.1b	17.7.1b.x
cisco / ios_xe	17.7.1a	17.7.1a.x
cisco / ios_xe	17.7.1	17.7.1.x
cisco / ios_xe	17.6.5	17.6.5.x
cisco / ios_xe	17.6.1z1	17.6.1z1.x
cisco / ios_xe	17.6.4	17.6.4.x
cisco / ios_xe	17.6.3a	17.6.3a.x
cisco / ios_xe	17.6.1z	17.6.1z.x
cisco / ios_xe	17.6.1y	17.6.1y.x
cisco / ios_xe	17.6.1x	17.6.1x.x
cisco / ios_xe	17.6.2	17.6.2.x
cisco / ios_xe	17.3.7	17.3.7.x
cisco / ios_xe	17.3.5b	17.3.5b.x
cisco / ios_xe	17.3.5a	17.3.5a.x
cisco / ios_xe	17.3.6	17.3.6.x
cisco / ios_xe	17.3.5	17.3.5.x
cisco / ios_xe	17.11.99sw	17.11.99sw.x
cisco / ios_xe	17.12.1y	17.12.1y.x
cisco / ios_xe	17.12.1x	17.12.1x.x
cisco / ios_xe	17.12.1a	17.12.1a.x
cisco / ios_xe	17.12.1w	17.12.1w.x
cisco / ios_xe	17.12.1	17.12.1.x
cisco / ios_xe	17.11.1a	17.11.1a.x
cisco / ios_xe	17.9.4a	17.9.4a.x
cisco / ios_xe	17.9.1y1	17.9.1y1.x
cisco / ios_xe	17.9.4	17.9.4.x
cisco / ios_xe	17.9.3a	17.9.3a.x
cisco / ios_xe	17.9.1x1	17.9.1x1.x
cisco / ios_xe	17.9.2a	17.9.2a.x
cisco / ios_xe	17.9.3	17.9.3.x
cisco / ios_xe	17.9.1y	17.9.1y.x
cisco / ios_xe	17.9.1x	17.9.1x.x
cisco / ios_xe	17.9.2	17.9.2.x
cisco / ios_xe	17.10.1b	17.10.1b.x
cisco / ios_xe	17.10.1a	17.10.1a.x
cisco / ios_xe	17.6.5a	17.6.5a.x
cisco / ios_xe	17.6.6a	17.6.6a.x
cisco / ios_xe	17.6.6	17.6.6.x
cisco / ios_xe	17.3.8a	17.3.8a.x
cisco / ios_xe	17.3.8	17.3.8.x

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-csrf-ycUYxkKO

Vulnerability Database

289,598

CVE-2024-20437