Overview

Two Cisco products are affected by critical vulnerabilities. The vulnerabilities could allow an attacker to execute arbitrary code or cause a permanent denial of service (DoS) condition on the affected device.

Description

Cisco Secure Email Gateway and Cisco Smart Software Manager On-Prem are affected by two critical vulnerabilities tracked as CVE-2024-20401, and CVE-2024-20419 with base scores of 9.8 and 10 respectively. The vulnerabilities are the result of improper handling of email attachments when file analysis and content filters are enabled, and due to improper implementation of the password-change process. The vulnerability allows unauthenticated remote attacker to modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

Impact

Successful exploitation of these vulnerabilities may allow unauthenticated, remote unauthenticated attacker to take control of the affected system or cause a denial of service condition.

Solution

Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH
• 2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy