Command Injection via Auth Bypass in Cisco ATA 190 Series Web UI
CVE-2024-20420 Published on October 16, 2024

Cisco ATA 190 Series Analog Telephone Adapter Firmware Privilege Escalation Vulnerability
A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with low privileges to run commands as an Admin user. This vulnerability is due to incorrect authorization verification by the HTTP server. An attacker could exploit this vulnerability by sending a malicious request to the web-based management interface. A successful exploit could allow the attacker to run commands as the Admin user.

NVD

Vulnerability Analysis

CVE-2024-20420 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Types

Execution with Unnecessary Privileges

The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2024-20420 has been classified to as an AuthZ vulnerability or weakness.

Affected Versions

Cisco Analog Telephone Adaptor (ATA) Software:

Version 12.0.1 SR2 is affected.
Version 11.1.0 is affected.
Version 12.0.1 SR1 is affected.
Version 11.1.0 MSR1 is affected.
Version 11.1.0 MSR2 is affected.
Version 11.1.0 MSR3 is affected.
Version 11.1.0 MSR4 is affected.
Version 12.0.1 SR3 is affected.
Version 11.2.1 is affected.
Version 12.0.1 SR4 is affected.
Version 11.2.2 is affected.
Version 11.2.2 MSR1 is affected.
Version 12.0.1 SR5 is affected.
Version 11.2.3 is affected.
Version 11.2.4 is affected.

Exploit Probability

EPSS

0.33%

Percentile

56.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.