CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-20359

High Severity
Cisco
SVRS
60/100
CVSSv3
6.0/10
EPSS
0.00026/1

CVE-2024-20359 is a critical vulnerability in Cisco ASA and FTD software allowing for arbitrary code execution. This vulnerability arises from improper file validation when read from system flash memory, potentially enabling a local attacker with administrator privileges to execute code with root privileges. Despite a CVSS score of 6, the SOCRadar Vulnerability Risk Score (SVRS) is 60, highlighting a moderate risk. Successful exploitation involves copying a crafted file to the device's disk0: file system, enabling the attacker to execute arbitrary code after the device reloads, potentially altering system behavior persistently. Due to the potential for code injection to survive reboots, Cisco has escalated the security impact rating to High, and active exploits are available making immediate patching essential.

TAGS
In The Wild
Exploit Avaliable
CISA KEV
VECTOR STRING
CVSS:3.1
AV:L
AC:L
PR:H
UI:N
S:U
C:H
I:H
A:N
PUBLICATION DATE2024-04-24
LAST MODIFIED2025-01-27
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-20359 is a critical vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software that allows an authenticated, local attacker to execute arbitrary code with root-level privileges. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior.

Key Insights

  • The SVRS of 52 indicates a moderate risk, but the vulnerability is still considered critical due to its potential impact.
  • Active exploits have been published, and the vulnerability is being actively exploited in the wild.
  • The Cybersecurity and Infrastructure Security Agency (CISA) has warned of the vulnerability, calling for immediate and necessary measures.

Mitigation Strategies

  • Update to the latest version of Cisco ASA Software or Cisco Firepower Threat Defense (FTD) Software.
  • Disable the legacy VPN client and plug-in preloading capability.
  • Restrict access to the disk0: file system.
  • Monitor for suspicious activity and take appropriate action.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

TypeIndicatorDate
IP
103.119.3.2302024-05-25
IP
194.4.49.62024-05-25
IP
89.44.198.1892024-05-25
IP
103.114.200.2302024-05-25
IP
103.125.218.1982024-05-25
IP
103.20.222.2182024-05-25
IP
103.27.132.692024-05-25

Exploits

TitleSoftware LinkDate
Cisco ASA and FTD Privilege Escalation Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-203592024-04-24
Garvard-Agency/CVE-2024-20359-CiscoASA-FTD-exploithttps://github.com/Garvard-Agency/CVE-2024-20359-CiscoASA-FTD-exploit2024-05-04
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Multiples vulnérabilités dans les produits Cisco (25 avril 2024)
2025-04-01
Multiples vulnérabilités dans les produits Cisco (25 avril 2024) | Le 24 avril 2024, Cisco a publié trois avis de sécurité concernant des vulnérabilités affectant les équipements de sécurité ASA et FTD. Deux d'entre eux concernent les vulnérabilités CVE-2024-20353 et CVE-2024-20359 qui sont activement exploitées dans le cadre d'attaques ciblées. La vulnérabilité...
ssi.gouv.fr
rss
forum
news
CVE-2024-20359 | Cisco ASA/Firepower Threat Defense Legacy Capability code injection (cisco-sa-asaftd-persist-rce-FLsNXF4h)
vuldb.com2025-01-28
CVE-2024-20359 | Cisco ASA/Firepower Threat Defense Legacy Capability code injection (cisco-sa-asaftd-persist-rce-FLsNXF4h) | A vulnerability, which was classified as critical, has been found in Cisco ASA and Firepower Threat Defense. Affected by this issue is some unknown functionality of the component Legacy Capability. The manipulation leads to code injection. This vulnerability is handled as CVE-2024-20359. An attack has
cve-2024-20359
fraud
cve
rce
ArcaneDoor Unlocked: Tackling State-Sponsored Cyber Espionage in Network Perimeters - Qualys Blog
2024-04-24
ArcaneDoor Unlocked: Tackling State-Sponsored Cyber Espionage in Network Perimeters - Qualys Blog | News Content: Cisco recently uncovered a sophisticated cyber espionage campaign, ArcaneDoor, targeting perimeter network devices used by government and critical infrastructure sectors. This campaign involves state-sponsored actors exploiting two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) aimed primarily at espionage through intricate malware known as Line Runner and Line Dancer. ArcaneDoor manipulates perimeter network devices, such as Cisco Adaptive Security Appliances (ASA), to reroute or monitor network traffic, providing a strategic vantage point for espionage. The investigation, spurred by vigilant customer reports early in
google.com
rss
forum
news
Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks - Security Affairs
2024-04-24
Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks - Security Affairs | News Content: Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November 2023 to breach government networks. Cisco Talos warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide. Cisco Talos researchers tracked
google.com
rss
forum
news
Cisco's ASA vertical suffers state-backed hacking attempt - MediaNama.com
2024-04-26
Cisco's ASA vertical suffers state-backed hacking attempt - MediaNama.com | News Content: Cisco’s Adaptive Security Appliances (ASA), security devices meant to protect corporate networks and data centres through features like firewalls and VPNs, were compromised in a state-sponsored hacker attack that targeted government officials globally. A press release by three government agencies, Canadian Centre for Cyber Security (Cyber Centre), Australian Signals Directorate’s Australian Cyber Security Centre and The UK’s National Cyber Security Centre (NCSC), states that the agencies were investigating a “well-resourced and sophisticated state-sponsored actor” targeting VPN services used by governments globally. The
google.com
rss
forum
news
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage - The Hacker News
2024-04-25
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage - The Hacker News | News Content: A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). "UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification
google.com
rss
forum
news
Cisco warns of backdoor admin account in Smart Licensing Utility - BleepingComputer
2024-09-04
Cisco warns of backdoor admin account in Smart Licensing Utility - BleepingComputer | News Content: By Sergiu Gatlan 12:58 PM Cisco has removed a backdoor account in the Cisco Smart Licensing Utility (CSLU) that can be used to log into unpatched systems with administrative privileges. CSLU is a Windows application that helps manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution. The company says this critical vulnerability (CVE-2024-20439) allows unauthenticated attackers to log into unpatched systems remotely using an "undocumented static user credential for an administrative account." "A successful
google.com
rss
forum
news

Social Media

@wayneyeung @AskPerplexity The ArcaneDoor campaign, uncovered in April 2024, is a state-sponsored cyber espionage effort targeting Cisco Adaptive Security Appliances. It exploits two zero-day vulnerabilities, CVE-2024-20353 and CVE-2024-20359, to deploy backdoors called Line Runner and Line Dancer. These
0
0
0
The latest update for #InvGate includes "CVE-2024-20359: Understanding And Detecting the Vulnerability" and "How to Measure Success When #AI Breaks Your Metrics". #ITSM https://t.co/oTnXsSdIGV
0
0
1
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor https://t.co/tESrlTiW1E https://t.co/MjV3ehUFSs
0
0
0
Actively exploited CVE ID, source in the thread (generated, not vetted) CVE-2024-20359
1
0
0
CVE-2024-20359
1
0
0
Threat Intelligence and Product Vulnerability Attack Trends - Date: 2024-05-27 Threats on Products and CVEs 🚨 New CVEs CVE-2024-20353 & CVE-2024-20359 exploited in Cisco ASA devices! Stay updated: https://t.co/rG73D6Mj4Y
1
0
0
🚨 CVE-2024-20353 e CVE-2024-20359: Falhas no Cisco ASA e FTD permitem negação de serviço e elevação de privilégio, exploradas por atores maliciosos (CISA). #CyberSecurity #Cisco #Infosec
0
0
0
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor https://t.co/P5MEYAih85 https://t.co/OHbDoWoJDZ
0
0
0
['Active CVEs: CVE-2024-3094, CVE-2024-21338, CVE-2024-3400, CVE-2024-4040, CVE-2015-2051, CVE-2023-1389, CVE-2023-46805, CVE-2024-20358, CVE-2022-38028, CVE-2022-21587, CVE-2024-21887, CVE-2024-21412, CVE-2024-20353, CVE-2023-36396, CVE-2024-20359']
1
0
0
New in our analyst lens series, CISA added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — affecting popular file transfer tool CrushFTP. Affecting Cisco’s Adaptive Security Appliances (ASA) and the related Firepower Threat Defense (FTD) software suite. https://t.co/mHqhHSDm3D
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSCiscoadaptive_security_appliance_software
Configuration 2
TypeVendorProduct
AppCiscofirepower_threat_defense

References

ReferenceLink
[email protected]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
AF854A3A-2127-422B-91AE-364DA2661108https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
[email protected]https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

CWE Details

CWE IDCWE NameDescription
CWE-94Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence