Cisco Systems Manager for Windows Vulnerability Let Attackers Escalate Privilege

Cisco Systems has issued a critical security advisory for a vulnerability in the Cisco Meraki Systems Manager (SM) Agent for Windows.

The flaw, identified as CVE-2024-20430, allows authenticated local attackers to execute arbitrary code with elevated privileges. With a CVSS score of 7.3, this vulnerability is considered high severity and poses a significant risk to affected systems.

CVE-2024-20430 – Vulnerability Details

The vulnerability arises from incorrect handling of directory search paths at runtime. This flaw allows a low-privileged attacker to exploit the system by placing malicious configuration and DLL files.

When the Cisco Meraki SM launches on startup, it reads and executes these files, potentially granting the attacker SYSTEM-level privileges.

Cisco has confirmed that there are no workarounds for this vulnerability. Users are strongly advised to apply software updates to mitigate the risk.

Cisco Meraki has released updates that address the issue, and users should upgrade to Cisco Meraki SM Agent for Windows Release 4.2.0 or later.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Affected Products

This vulnerability explicitly affects the Cisco Meraki SM Agent for Windows. Cisco has confirmed that the SM Agent for Mac is not affected.

Users are encouraged to check the Fixed Software section of the advisory for detailed information on vulnerable software releases.

Fixed Software and Recommendations

Cisco Meraki has provided free software updates to address this vulnerability. Customers must have a valid license to download these updates, available through the Meraki Dashboard.

Systems with the Agent Version Control set to the latest or Release 4.2.0 will automatically upgrade to a fixed release.

Cisco advises customers to regularly consult the Cisco Security Advisories page to stay informed about potential vulnerabilities and ensure their systems are up-to-date. Proper firmware practices should be followed to ensure compatibility and support for new releases.

The Cisco Meraki Product Security Incident Response Team (PSIRT) has not reported any public announcements or malicious exploitation of this vulnerability. However, the potential risk underscores the importance of prompt action by users to secure their systems.

Cisco’s proactive steps in addressing this vulnerability highlight the importance of maintaining robust security practices in the ever-evolving digital landscape.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!