Vulnerability DatabaseCVE-2024-20299

CVE-2024-20299:
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

Overview

A vulnerability (CVE-2024-20299) was discovered in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The vulnerability was disclosed on October 23, 2024, and affects systems running vulnerable releases of Cisco ASA or FTD Software with Forward Reference and AnyConnect Firewall Rule features enabled (Cisco Advisory).

Technical details

The vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. It has been assigned a CVSS base score of 5.8 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N) and is classified as CWE-290 (Authentication Bypass by Spoofing) (NVD, Cisco Advisory).

Impact

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to bypass configured ACL rules and allow traffic that should have been denied to flow through an affected device (Cisco Advisory).

Mitigation and workarounds

Cisco has released software updates that address this vulnerability. There are no workarounds available that address this vulnerability. Users are advised to upgrade to the latest fixed version (Cisco Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

5.8

Score

Published October 23, 2024

Severity MEDIUM

CNA Score 5.8

Affected Technologies

Cisco Adaptive Security Appliance (ASA)
Cisco Firepower Threat Defense (FTD)

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 56.3

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

cpe:2.3:a:cisco:firepower_threat_defense
cpe:2.3:o:cisco:adaptive_security_appliance_software

Sources

VulnCheck NVD++
- Linux Severity MEDIUMHas FixAdded at: Oct 27, 2024
NVD
- Linux Severity MEDIUMHas FixAdded at: Aug 03, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Cisco Adaptive Security Appliance (ASA) vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-20333	CRITICAL	9.9	Cisco Adaptive Security Appliance (ASA)	cpe:2.3:a:cisco:firepower_threat_defense	Yes	Yes	Sep 25, 2025
CVE-2025-20363	CRITICAL	9	Cisco Adaptive Security Appliance (ASA)	cpe:2.3:o:cisco:adaptive_security_appliance_software	No	Yes	Sep 25, 2025
CVE-2025-20362	HIGH	8.6	Cisco Adaptive Security Appliance (ASA)	cpe:2.3:a:cisco:firepower_threat_defense	Yes	Yes	Sep 25, 2025
CVE-2025-20263	HIGH	8.6	Cisco Adaptive Security Appliance (ASA)	cpe:2.3:a:cisco:firepower_threat_defense	No	Yes	Aug 14, 2025
CVE-2025-20254	MEDIUM	5.8	Cisco Adaptive Security Appliance (ASA)	cpe:2.3:o:cisco:adaptive_security_appliance_software	No	Yes	Aug 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-20299: Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation