CVE-2020-3297

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

CVE-2020-3297 allows unauthenticated remote attackers to bypass authentication on Cisco Small Business Smart and Managed Switches by brute-forcing weak session IDs. This enables session hijacking with administrative privileges. Organizations using affected Cisco switches with web management interfaces exposed are vulnerable.

💻 Affected Systems

Products:

• Cisco Small Business Smart Switches
• Cisco Small Business Managed Switches

Versions: Multiple firmware versions prior to specific fixes

Operating Systems: Switch firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects switches with web-based management interface enabled. Specific affected models include 250, 350, 350X, 550X series and others.

📦 What is this software?

Sf200 24 Firmware by Cisco

View all CVEs affecting Sf200 24 Firmware →

Sf200 24fp Firmware by Cisco

View all CVEs affecting Sf200 24fp Firmware →

Sf200 24p Firmware by Cisco

View all CVEs affecting Sf200 24p Firmware →

Sf200 48 Firmware by Cisco

View all CVEs affecting Sf200 48 Firmware →

Sf200 48p Firmware by Cisco

View all CVEs affecting Sf200 48p Firmware →

Sf200e 24 Firmware by Cisco

View all CVEs affecting Sf200e 24 Firmware →

Sf200e 24p Firmware by Cisco

View all CVEs affecting Sf200e 24p Firmware →

Sf200e 48 Firmware by Cisco

View all CVEs affecting Sf200e 48 Firmware →

Sf200e 48p Firmware by Cisco

View all CVEs affecting Sf200e 48p Firmware →

Sf250 24 Firmware by Cisco

View all CVEs affecting Sf250 24 Firmware →

Sf250 24p Firmware by Cisco

View all CVEs affecting Sf250 24p Firmware →

Sf250 48 Firmware by Cisco

View all CVEs affecting Sf250 48 Firmware →

Sf250 48hp Firmware by Cisco

View all CVEs affecting Sf250 48hp Firmware →

Sf300 08 Firmware by Cisco

View all CVEs affecting Sf300 08 Firmware →

Sf300 24 Firmware by Cisco

View all CVEs affecting Sf300 24 Firmware →

Sf300 24mp Firmware by Cisco

View all CVEs affecting Sf300 24mp Firmware →

Sf300 24p Firmware by Cisco

View all CVEs affecting Sf300 24p Firmware →

Sf300 24pp Firmware by Cisco

View all CVEs affecting Sf300 24pp Firmware →

Sf300 48 Firmware by Cisco

View all CVEs affecting Sf300 48 Firmware →

Sf300 48p Firmware by Cisco

View all CVEs affecting Sf300 48p Firmware →

Sf300 48pp Firmware by Cisco

View all CVEs affecting Sf300 48pp Firmware →

Sf302 08 Firmware by Cisco

View all CVEs affecting Sf302 08 Firmware →

Sf302 08mp Firmware by Cisco

View all CVEs affecting Sf302 08mp Firmware →

Sf302 08mpp Firmware by Cisco

View all CVEs affecting Sf302 08mpp Firmware →

Sf302 08p Firmware by Cisco

View all CVEs affecting Sf302 08p Firmware →

Sf302 08pp Firmware by Cisco

View all CVEs affecting Sf302 08pp Firmware →

Sf350 48 Firmware by Cisco

View all CVEs affecting Sf350 48 Firmware →

Sf350 48mp Firmware by Cisco

View all CVEs affecting Sf350 48mp Firmware →

Sf350 48p Firmware by Cisco

View all CVEs affecting Sf350 48p Firmware →

Sf500 24 Firmware by Cisco

View all CVEs affecting Sf500 24 Firmware →

Sf500 24p Firmware by Cisco

View all CVEs affecting Sf500 24p Firmware →

Sf500 48 Firmware by Cisco

View all CVEs affecting Sf500 48 Firmware →

Sf500 48p Firmware by Cisco

View all CVEs affecting Sf500 48p Firmware →

Sf550x 24 Firmware by Cisco

View all CVEs affecting Sf550x 24 Firmware →

Sf550x 24mp Firmware by Cisco

View all CVEs affecting Sf550x 24mp Firmware →

Sf550x 24p Firmware by Cisco

View all CVEs affecting Sf550x 24p Firmware →

Sf550x 48 Firmware by Cisco

View all CVEs affecting Sf550x 48 Firmware →

Sf550x 48mp Firmware by Cisco

View all CVEs affecting Sf550x 48mp Firmware →

Sf550x 48p Firmware by Cisco

View all CVEs affecting Sf550x 48p Firmware →

Sg200 08 Firmware by Cisco

View all CVEs affecting Sg200 08 Firmware →

Sg200 08p Firmware by Cisco

View all CVEs affecting Sg200 08p Firmware →

Sg200 10fp Firmware by Cisco

View all CVEs affecting Sg200 10fp Firmware →

Sg200 18 Firmware by Cisco

View all CVEs affecting Sg200 18 Firmware →

Sg200 26 Firmware by Cisco

View all CVEs affecting Sg200 26 Firmware →

Sg200 26fp Firmware by Cisco

View all CVEs affecting Sg200 26fp Firmware →

Sg200 26p Firmware by Cisco

View all CVEs affecting Sg200 26p Firmware →

Sg200 50 Firmware by Cisco

View all CVEs affecting Sg200 50 Firmware →

Sg200 50fp Firmware by Cisco

View all CVEs affecting Sg200 50fp Firmware →

Sg200 50p Firmware by Cisco

View all CVEs affecting Sg200 50p Firmware →

Sg250 08 Firmware by Cisco

View all CVEs affecting Sg250 08 Firmware →

Sg250 08hp Firmware by Cisco

View all CVEs affecting Sg250 08hp Firmware →

Sg250 10p Firmware by Cisco

View all CVEs affecting Sg250 10p Firmware →

Sg250 18 Firmware by Cisco

View all CVEs affecting Sg250 18 Firmware →

Sg250 26 Firmware by Cisco

View all CVEs affecting Sg250 26 Firmware →

Sg250 26hp Firmware by Cisco

View all CVEs affecting Sg250 26hp Firmware →

Sg250 26p Firmware by Cisco

View all CVEs affecting Sg250 26p Firmware →

Sg250 50 Firmware by Cisco

View all CVEs affecting Sg250 50 Firmware →

Sg250 50hp Firmware by Cisco

View all CVEs affecting Sg250 50hp Firmware →

Sg250 50p Firmware by Cisco

View all CVEs affecting Sg250 50p Firmware →

Sg250x 24 Firmware by Cisco

View all CVEs affecting Sg250x 24 Firmware →

Sg250x 24p Firmware by Cisco

View all CVEs affecting Sg250x 24p Firmware →

Sg250x 48 Firmware by Cisco

View all CVEs affecting Sg250x 48 Firmware →

Sg250x 48p Firmware by Cisco

View all CVEs affecting Sg250x 48p Firmware →

Sg300 10 Firmware by Cisco

View all CVEs affecting Sg300 10 Firmware →

Sg300 10mp Firmware by Cisco

View all CVEs affecting Sg300 10mp Firmware →

Sg300 10mpp Firmware by Cisco

View all CVEs affecting Sg300 10mpp Firmware →

Sg300 10p Firmware by Cisco

View all CVEs affecting Sg300 10p Firmware →

Sg300 10pp Firmware by Cisco

View all CVEs affecting Sg300 10pp Firmware →

Sg300 10sfp Firmware by Cisco

View all CVEs affecting Sg300 10sfp Firmware →

Sg300 20 Firmware by Cisco

View all CVEs affecting Sg300 20 Firmware →

Sg300 28 Firmware by Cisco

View all CVEs affecting Sg300 28 Firmware →

Sg300 28mp Firmware by Cisco

View all CVEs affecting Sg300 28mp Firmware →

Sg300 28p Firmware by Cisco

View all CVEs affecting Sg300 28p Firmware →

Sg300 28pp Firmware by Cisco

View all CVEs affecting Sg300 28pp Firmware →

Sg300 52 Firmware by Cisco

View all CVEs affecting Sg300 52 Firmware →

Sg300 52mp Firmware by Cisco

View all CVEs affecting Sg300 52mp Firmware →

Sg300 52p Firmware by Cisco

View all CVEs affecting Sg300 52p Firmware →

Sg350 10 Firmware by Cisco

View all CVEs affecting Sg350 10 Firmware →

Sg350 10mp Firmware by Cisco

View all CVEs affecting Sg350 10mp Firmware →

Sg350 10p Firmware by Cisco

View all CVEs affecting Sg350 10p Firmware →

Sg350 28 Firmware by Cisco

View all CVEs affecting Sg350 28 Firmware →

Sg350 28mp Firmware by Cisco

View all CVEs affecting Sg350 28mp Firmware →

Sg350 28p Firmware by Cisco

View all CVEs affecting Sg350 28p Firmware →

Sg350x 24 Firmware by Cisco

View all CVEs affecting Sg350x 24 Firmware →

Sg350x 24mp Firmware by Cisco

View all CVEs affecting Sg350x 24mp Firmware →

Sg350x 24p Firmware by Cisco

View all CVEs affecting Sg350x 24p Firmware →

Sg350x 48 Firmware by Cisco

View all CVEs affecting Sg350x 48 Firmware →

Sg350x 48mp Firmware by Cisco

View all CVEs affecting Sg350x 48mp Firmware →

Sg350x 48p Firmware by Cisco

View all CVEs affecting Sg350x 48p Firmware →

Sg350xg 24f Firmware by Cisco

View all CVEs affecting Sg350xg 24f Firmware →

Sg350xg 24t Firmware by Cisco

View all CVEs affecting Sg350xg 24t Firmware →

Sg350xg 2f10 Firmware by Cisco

View all CVEs affecting Sg350xg 2f10 Firmware →

Sg350xg 48t Firmware by Cisco

View all CVEs affecting Sg350xg 48t Firmware →

Sg355 10p Firmware by Cisco

View all CVEs affecting Sg355 10p Firmware →

Sg500 28 Firmware by Cisco

View all CVEs affecting Sg500 28 Firmware →

Sg500 28mpp Firmware by Cisco

View all CVEs affecting Sg500 28mpp Firmware →

Sg500 28p Firmware by Cisco

View all CVEs affecting Sg500 28p Firmware →

Sg500 52 Firmware by Cisco

View all CVEs affecting Sg500 52 Firmware →

Sg500 52mp Firmware by Cisco

View all CVEs affecting Sg500 52mp Firmware →

Sg500 52p Firmware by Cisco

View all CVEs affecting Sg500 52p Firmware →

Sg500x 24 Firmware by Cisco

View all CVEs affecting Sg500x 24 Firmware →

Sg500x 24p Firmware by Cisco

View all CVEs affecting Sg500x 24p Firmware →

Sg500x 48 Firmware by Cisco

View all CVEs affecting Sg500x 48 Firmware →

Sg500x 48p Firmware by Cisco

View all CVEs affecting Sg500x 48p Firmware →

Sg500xg 8f8t Firmware by Cisco

View all CVEs affecting Sg500xg 8f8t Firmware →

Sg550x 24 Firmware by Cisco

View all CVEs affecting Sg550x 24 Firmware →

Sg550x 24mp Firmware by Cisco

View all CVEs affecting Sg550x 24mp Firmware →

Sg550x 24mpp Firmware by Cisco

View all CVEs affecting Sg550x 24mpp Firmware →

Sg550x 24p Firmware by Cisco

View all CVEs affecting Sg550x 24p Firmware →

Sg550x 48 Firmware by Cisco

View all CVEs affecting Sg550x 48 Firmware →

Sg550x 48mp Firmware by Cisco

View all CVEs affecting Sg550x 48mp Firmware →

Sg550x 48p Firmware by Cisco

View all CVEs affecting Sg550x 48p Firmware →

Sx550x 12f Firmware by Cisco

View all CVEs affecting Sx550x 12f Firmware →

Sx550x 16ft Firmware by Cisco

View all CVEs affecting Sx550x 16ft Firmware →

Sx550x 24 Firmware by Cisco

View all CVEs affecting Sx550x 24 Firmware →

Sx550x 24f Firmware by Cisco

View all CVEs affecting Sx550x 24f Firmware →

Sx550x 24ft Firmware by Cisco

View all CVEs affecting Sx550x 24ft Firmware →

Sx550x 52 Firmware by Cisco

View all CVEs affecting Sx550x 52 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of network switch with administrative access, enabling network traffic interception, configuration changes, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized access to switch management interface leading to configuration changes, network disruption, or credential harvesting.

🟢

If Mitigated

Limited impact if switches are patched, management interfaces are isolated, and network segmentation is implemented.

🌐 Internet-Facing: HIGH - Web management interfaces exposed to internet are directly exploitable by unauthenticated attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires brute-forcing session IDs which is straightforward with available tools. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by model - refer to Cisco advisory for specific firmware versions

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY

Restart Required: Yes

Instructions:

1. Identify affected switch models and current firmware. 2. Download appropriate firmware from Cisco support site. 3. Backup current configuration. 4. Upload and install new firmware via web interface or CLI. 5. Verify installation and restore configuration if needed.

🔧 Temporary Workarounds

Disable web management interface

all

Disable HTTP/HTTPS management access and use CLI or other management methods

Copy

no ip http server
no ip http secure-server

Restrict management access

all

Limit management interface access to trusted IP addresses only

Copy

ip http access-class <ACL-NAME>
ip http secure-server access-class <ACL-NAME>

🧯 If You Can't Patch

• Isolate management interfaces to dedicated VLAN with strict access controls
• Implement network segmentation to limit potential lateral movement from compromised switches

🔍 How to Verify

Check if Vulnerable:

Copy

Check switch firmware version against Cisco advisory. Use 'show version' command and compare to affected versions list.

Check Version:

Copy

show version

Verify Fix Applied:

Copy

Verify firmware version after update matches patched versions in Cisco advisory. Test session ID generation for improved entropy.

📡 Detection & Monitoring

Log Indicators:

• Multiple failed login attempts followed by successful login from same IP
• Session ID brute force patterns in web logs
• Configuration changes from unexpected sources

Network Indicators:

• Unusual HTTP/HTTPS traffic to switch management interfaces
• Multiple session ID requests in short timeframes

SIEM Query:

Copy

source="switch_logs" ("authentication failed" count>10 within 1m) OR ("session" AND "brute")

📊 Metadata

CVE ID: CVE-2020-3297

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: July 2, 2020

Last Updated: November 21, 2024

🔗 References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY Vendor Advisory
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-3297, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)

CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)

CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)