CVE-2024-20408

Q: What is the severity of CVE-2024-20408?

CVE-2024-20408 has a CVSS score of 7.7 (HIGH). This vulnerability allows authenticated remote attackers with VPN credentials to crash Cisco ASA/FTD devices via crafted HTTPS POST requests, causing denial of service. It affects systems with Dynamic Access Policies enabled. Organizations using Cisco ASA or FTD for remote access VPN are at risk.

7.7 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows authenticated remote attackers with VPN credentials to crash Cisco ASA/FTD devices via crafted HTTPS POST requests, causing denial of service. It affects systems with Dynamic Access Policies enabled. Organizations using Cisco ASA or FTD for remote access VPN are at risk.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software

Versions: Multiple versions - check Cisco advisory for specific affected versions

Operating Systems: Cisco ASA OS, Cisco FTD OS

Default Config Vulnerable: ✅ No

Notes: Requires Dynamic Access Policies (DAP) feature to be enabled and configured for remote access VPN

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device reload leading to extended VPN service outage, disrupting remote workforce access and potentially affecting business operations.

🟠

Likely Case

Temporary VPN service disruption during device reload, affecting remote users until service restoration.

🟢

If Mitigated

Minimal impact with proper authentication controls and monitoring to detect exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires valid VPN credentials but exploitation is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dap-dos-bhEkP7n

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions 2. Download appropriate fixed software 3. Schedule maintenance window 4. Backup configuration 5. Apply update 6. Verify functionality

🔧 Temporary Workarounds

Disable DAP feature

all

Temporarily disable Dynamic Access Policies if not required for operations

no dynamic-access-policy-record DAP_RECORD_NAME

Restrict VPN access

all

Limit VPN access to trusted IP ranges and implement additional authentication controls

🧯 If You Can't Patch

Implement strict VPN credential management and monitoring
Deploy network segmentation to limit blast radius of potential DoS

🔍 How to Verify

Check if Vulnerable:

Check ASA/FTD version and DAP configuration status via 'show version' and 'show running-config | include dynamic-access-policy'

Check Version:

show version

Verify Fix Applied:

Verify updated version matches Cisco's fixed releases and test DAP functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
Multiple failed HTTPS POST requests to DAP endpoints
VPN authentication followed by malformed requests

Network Indicators:

Unusual HTTPS traffic patterns to VPN endpoints
Sudden VPN service interruptions

SIEM Query:

source="cisco_asa" AND (event_id=500004 OR message="Reloading") OR (url_path="/+CSCOE+/dap" AND status=500)

📊 Metadata

CVE ID: CVE-2024-20408

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-1287

Published: October 23, 2024

Last Updated: August 1, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dap-dos-bhEkP7n Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco