CVE-2024-20478

Name of the Vulnerable Software and Affected Versions Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Network Controller (affected versions not specified)

Description A vulnerability in the software upgrade component could allow an authenticated, remote attacker with Administrator-level privileges to install a modified software image, leading to arbitrary code injection on an affected system. This issue is due to insufficient signature validation of software images. An attacker could exploit this by installing a modified software image, potentially executing arbitrary code and elevating privileges to root.

Recommendations For all affected versions, administrators should always validate the hash of any upgrade image before uploading it to Cisco APIC and Cisco Cloud Network Controller. As a temporary workaround, consider restricting access to the software upgrade component until a patch is available. Additionally, ensure that only authorized personnel with Administrator-level privileges have access to the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.