CVE-2024-20509

Name of the Vulnerable Software and Affected Versions Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified)

Description A vulnerability in the Cisco AnyConnect VPN server could allow an unauthenticated, remote attacker to hijack an AnyConnect VPN session or cause a denial of service (DoS) condition for individual users of the AnyConnect VPN service on an affected device. This issue is due to weak entropy for handlers used during the VPN authentication process and a race condition in the same process. An attacker could exploit this by correctly guessing an authentication handler and sending crafted HTTPS requests to an affected device, potentially taking over the AnyConnect VPN session from a target user or preventing the target user from establishing a session.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.