Cisco tells Secure Client users to patch immediately or risk VPN security flaw

News
By published

Hackers could be accessing your local internal networks, experts are saying

cisco logo
(Image credit: Shutterstock / Ken Wolter)

Networking giant Cisco has patched a high-severity flaw in one of its software products which could be leveraged to open a VPN session with a target endpoint.

The flaw is found in Secure Client, and is described as “carriage return line feed injection vulnerability”.

Tracked as CVE-2024-20337, it carries a severity score of 8.2, and allows an unauthenticated threat actor to run a carriage return line feed (CRLF) injection on the target endpoint, remotely.

A patch is available

"A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token," the company said in an advisory. "The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access."

TheHackerNews explained that the vulnerability stemmed from insufficient validation of user-supplied input. Hackers could use the flaw to trick potential victims into clicking a custom-tailored link while establishing a VPN session. The researcher who discovered the flaw, Amazon’s Paulos Yibelo Mesfin, told the publication that threat actors could abuse this flaw to access their targets’ local internal networks. All the victims need to do is visit a website under the attackers’ control.

To make sure their endpoints are secure, IT teams should update their software to these versions:

Earlier than 4.10.04065 (not vulnerable)
4.10.04065 and later (fixed in 4.10.08025)
5.0 (migrate to a fixed release)
5.1 (fixed in 5.1.2.42)

Virtual Private Network (VPN) solutions are an indispensable part of every organization’s tech stack, and as a result, are often targeted by threat actors. Recently, Ivanti’s VPN solution came under fire after discovering multiple high-severity vulnerabilities that were exploited en-masse to steal sensitive data, engage in espionage, and deploy malware and ransomware. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Cisco patches critical security issues, so update now
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
vpn
Ivanti warns another critical security flaw is being attacked
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Latest in VPN Privacy & Security
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
More about vpn privacy security
Swiss flag with view of Geneva city, Switzerland

Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
NordVPN CTO Marijus Briedis speaking at a panel during RightsCon 2025 in Taipei, Taiwan, on February 25.

Cyber threats are evolving everywhere – and "prevention alone is insufficient," says NordVPN CTO
HP ZBook Ultra G1a

HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
See more latest
Most Popular
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
The cast of Black Mirror season 7
Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum