Max-Critical Cisco Bug Enables Command-Injection Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security

Max-Critical Cisco Bug Enables Command-Injection Attacks


Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks.


Cisco is warning of a critical security vulnerability found in its Unified industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) access points that could allow an unauthenticated remote attacker to release command-injection attacks.
An attacker could exploit the vulnerability (CVE-2024-20418, CVSS 10) by sending HTTP requests to the Web-based management interface of an affected system. If successful, the attacker could execute arbitrary commands with root privileges in the affected devices underlying operating system.
The vulnerability exists due to an improper validation of input to the Web-based management interface. It affects the three
Cisco wireless access points
(APs) if they have the URWB operating mode enabled and are running a vulnerable release: Catalyst IW9165D, Catalyst IW9165E (both APs and clients), and Catalyst IW9167E.
Devices not running URWB operating mode remain unaffected by this vulnerability. To ascertain whether URWB is enabled, users should use the show mpls-config CLI command.
If the command is available, the URWB operating mode is enabled and the device is affected by this vulnerability,
Cisco said
. If the command is not available, the URWB operating mode is disabled and the device is not affected by this vulnerability.
Cisco said its unaware of any public exploitation of the vulnerability and has released a fix for the flaw, but there are no other workarounds to address it.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Max-Critical Cisco Bug Enables Command-Injection Attacks