Security

Patches

Cisco scores a perfect CVSS 10 with critical flaw in its wireless system

Ultra-Reliable Wireless Backhaul doesn't live up to its name


Cisco is issuing a critical alert notice about a flaw that makes its so-called Ultra-Reliable Wireless Backhaul systems easy to subvert.

The weakness – dubbed CVE-2024-20418 and made public yesterday – is with the Unified Industrial Wireless Software that the devices use. Crucially, the flaw is serious enough that a remote attacker with no privileges could upgrade themselves to admin-level access and install whatever nasties they like.

"An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," Cisco warned. "A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device."

The following kit is affected and needs immediate patching if URWB is enabled – there are no workarounds:

You can check if it is enabled on your own kit by using the show mpls-config CLI command.

The flaw carries a CVSS score of 10.0 because it's both simple and devastatingly effective. It's also dangerous because this kind of kit is designed for industrial uses and it is just the kind of code you'd expect to find in critical infrastructure targets – such as ports or factories.

You can get your fix here and are advised to apply it immediately. There are not yet any reported sightings of the vulnerability being exploited in the wild. ®

Send us news
16 Comments

Ransomware criminals love CISA's KEV list – and that's a bug, not a feature

1 in 3 entries are used to extort civilians, says new paper

Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time

Boffins poked around inside censorship engines – here's what they found

MITRE Caldera security suite scores perfect 10 for insecurity

Is a trivial remote-code execution hole in every version part of the training, or?

Does terrible code drive you mad? Wait until you see what it does to OpenAI's GPT-4o

Model was fine-tuned to write vulnerable software – then suggested enslaving humanity

Critical flaws in Mongoose library expose MongoDB to data thieves, code execution

Bugs fixed, updating to the latest version is advisable

Palo Alto firewalls under attack as miscreants chain flaws for root access

If you want to avoid urgent patches, stop exposing management consoles to the public internet

FreSSH bugs undiscovered for years threaten OpenSSH security

Exploit code now available for MitM and DoS attacks

Cisco says it’s already dug in to protect itself – and customers – if trade war breaks out

Also reckons it can dodge DOGE

Critical PostgreSQL bug tied to zero-day attack on US Treasury

High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further

Yup, AMD's Elba and Giglio definitely sound like they work corporate security

Which is why Cisco is adding these Pensando DPUs to more switches

Feds want devs to stop coding 'unforgivable' buffer overflow vulnerabilities

FBI, CISA harrumph at Microsoft and VMware in call for coders to quit baking avoidable defects into stuff

Apple warns 'extremely sophisticated attack' may be targeting iThings

Cupertino mostly uses bland language when talking security, so this sounds nasty