Login Sign Up

CVE-2024-20326

7.8 HIGH

📋 TL;DR

This vulnerability allows authenticated low-privileged local attackers to read and write arbitrary files as root on affected Cisco systems. It affects ConfD CLI and Cisco Crosswork Network Services Orchestrator CLI due to improper authorization enforcement. Attackers can exploit specific CLI commands with crafted arguments to gain root-level file access.

💻 Affected Systems

Products:
  • Cisco ConfD CLI
  • Cisco Crosswork Network Services Orchestrator CLI
Versions: Specific affected versions detailed in Cisco advisories (check vendor links for exact ranges)
Operating Systems: Linux-based systems running Cisco software
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated low-privileged local access to the CLI interface.

📦 What is this software?

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Basic by Cisco

View all CVEs affecting Confd Basic →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Confd Premium by Cisco

View all CVEs affecting Confd Premium →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

Crosswork Network Services Orchestrator by Cisco

View all CVEs affecting Crosswork Network Services Orchestrator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise: attacker gains root access, can read sensitive files (passwords, configurations), write malicious files, install backdoors, or disrupt services.

🟠

Likely Case

Privilege escalation leading to data theft, configuration manipulation, or persistence establishment by authenticated malicious insiders or compromised low-privilege accounts.

🟢

If Mitigated

Limited impact due to strict access controls, monitoring, and network segmentation preventing lateral movement even if local exploitation occurs.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over network interfaces.
🏢 Internal Only: HIGH - Exploitable by authenticated local users, making it dangerous in environments with multiple users or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires authenticated access and knowledge of specific vulnerable commands.

Exploitation requires local authenticated access and knowledge of affected CLI commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisories for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cnfd-rwpesc-ZAOufyx8

Restart Required: Yes

Instructions:

1. Review Cisco security advisories for affected versions. 2. Download and apply appropriate patches from Cisco. 3. Restart affected services/systems as required. 4. Verify patch application.

🔧 Temporary Workarounds

Restrict CLI Access

linux

Limit access to CLI interfaces to only necessary administrative users

# Use access control lists or role-based access controls
# Example: configure user permissions in system configuration

Monitor CLI Commands

linux

Implement logging and monitoring of CLI command execution

# Enable audit logging for CLI sessions
# Example: configure logging for command execution

🧯 If You Can't Patch

  • Implement strict access controls to limit who can access CLI interfaces
  • Monitor and audit all CLI command execution for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check system version against Cisco advisories and verify if running affected software versions.

Check Version:

# Check ConfD version: show version
# Check NSO version: show version

Verify Fix Applied:

Verify patch installation through version checks and test that vulnerable commands no longer allow unauthorized file access.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CLI command execution patterns
  • File access attempts via CLI commands
  • Privilege escalation attempts in system logs

Network Indicators:

  • Not network exploitable - focus on local system monitoring

SIEM Query:

Search for CLI command execution patterns matching vulnerable commands or unusual file access attempts

📊 Metadata

CVE ID: CVE-2024-20326
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 16, 2024
Last Updated: July 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-20326, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)