CVE-2024-20432 (CVSS 9.9): Cisco Nexus Dashboard Fabric Controller Exposed to RCE
Cisco has issued a security advisory addressing a critical vulnerability (CVE-2024-20432) in its Nexus Dashboard Fabric Controller (NDFC). This flaw, which carries a severity rating of 9.9 out of 10 on the CVSS scale, could allow an authenticated, low-privileged remote attacker to execute arbitrary commands on managed devices with network-admin privileges.
The vulnerability resides in the REST API and web user interface of Cisco NDFC. It stems from improper user authorization and insufficient validation of command arguments. An attacker with valid credentials could exploit this weakness by submitting crafted commands to an affected REST API endpoint or through the web UI.
Successful exploitation could grant the attacker the ability to run arbitrary commands on the command-line interface (CLI) of a Cisco NDFC-managed device, potentially compromising the entire network fabric.
The CVE-2024-20432 vulnerability affects
- Cisco Nexus Dashboard Fabric Controller (NDFC)
- Note: This vulnerability does not affect Cisco NDFC when configured for Storage Area Network (SAN) controller deployment.
- Starting with Cisco Nexus Dashboard Release 3.1(1k), Cisco NDFC is distributed in unified releases.
Cisco has released software updates to address this critical vulnerability. There are currently no workarounds, making it imperative for administrators to act promptly.
| Cisco NDFC Release | First Fixed Release |
|---|---|
| 11.5 and earlier | Not vulnerable |
| 12.0 | 12.2.2 |
As of the advisory’s release, Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any public exploitation of this vulnerability. However, given the critical nature of the flaw, the window for potential attacks remains open until patches are applied.
