CVE-2024-20355

Q: What is the severity of CVE-2024-20355?

CVE-2024-20355 has a CVSS score of 5.0 (MEDIUM). This vulnerability allows authenticated remote attackers to bypass SAML authorization controls in Cisco ASA/FTD VPN services. Attackers can intercept their valid SAML token and reuse it to connect through unauthorized VPN tunnel groups, gaining access to restricted networks. Organizations using Cisco ASA or FTD with SAML 2.0 SSO for remote access VPN are affected.

5.0 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated remote attackers to bypass SAML authorization controls in Cisco ASA/FTD VPN services. Attackers can intercept their valid SAML token and reuse it to connect through unauthorized VPN tunnel groups, gaining access to restricted networks. Organizations using Cisco ASA or FTD with SAML 2.0 SSO for remote access VPN are affected.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - see Cisco advisory for specific affected versions

Operating Systems: Cisco ASA/FTD OS

Default Config Vulnerable: ✅ No

Notes: Only affects configurations using SAML 2.0 single sign-on for remote access VPN services

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive internal networks, potentially leading to data exfiltration, lateral movement, and complete network compromise.

🟠

Likely Case

Privileged escalation where users access network segments beyond their authorization, potentially exposing sensitive systems and data.

🟢

If Mitigated

Limited impact due to network segmentation, additional authentication layers, or monitoring catching unauthorized access attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires valid VPN credentials, ability to intercept SAML tokens, and knowledge of different tunnel groups

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - refer to Cisco advisory

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-saml-bypass-KkNvXyKW

Restart Required: Yes

Instructions:

1. Review Cisco advisory for specific fixed versions for your ASA/FTD model. 2. Download appropriate software from Cisco Software Center. 3. Backup configuration. 4. Apply update following Cisco upgrade procedures. 5. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Disable SAML 2.0 SSO for VPN

all

Temporarily disable SAML authentication and use alternative VPN authentication methods

no webvpn
no tunnel-group <name> webvpn-attributes
authentication <alternative-method>

🧯 If You Can't Patch

Implement strict network segmentation to limit potential lateral movement from VPN-connected networks
Enable detailed VPN session logging and monitor for unauthorized access attempts across tunnel groups

🔍 How to Verify

Check if Vulnerable:

Check if ASA/FTD is configured with SAML 2.0 SSO for remote access VPN: 'show running-config webvpn' and 'show running-config tunnel-group'

Check Version:

show version | include Version

Verify Fix Applied:

Verify software version is patched: 'show version' and confirm version matches fixed releases in Cisco advisory

📡 Detection & Monitoring

Log Indicators:

VPN authentication logs showing same user authenticating to multiple tunnel groups
SAML token reuse across different connection profiles
Unusual VPN session patterns from authorized users

Network Indicators:

VPN connections from users to network segments outside their normal authorization scope
Traffic patterns inconsistent with user roles

SIEM Query:

source="asa_logs" AND ("SAML" OR "webvpn") AND ("tunnel-group" OR "connection-profile") | stats count by user, tunnel_group

📊 Metadata

CVE ID: CVE-2024-20355

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE: CWE-862

Published: May 22, 2024

Last Updated: July 30, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco