Share This:

Cybersecurity Threat Advisory

Cisco has released security updates for a vulnerability affecting its Secure Client software. Successful exploitation could allow threat actors to steal a targeted user’s token and establish a virtual private network (VPN) session. The vulnerability tracked as CVE-2024-20337 has a CVSS score of 8.2, which is considered high risk. Organizations running the vulnerable versions (listed below in this Cybersecurity Threat Advisory) are encouraged to apply the latest patch immediately.

What is the threat?

This high-severity flaw can lead to a carriage return line feed (CRLF) injection attack. This attack type allows for code execution and unauthorized remote access to VPN sessions. Since user-supplied input is insufficiently validated, attackers can trick users into clicking a crafted link while establishing a VPN session, which would then execute arbitrary scripts in the victim’s browser or access sensitive information.

Why is it noteworthy?

This vulnerability affects the Cisco Secure Client for Windows, Linux, and macOS. A successful exploit could allow the attacker to execute arbitrary script code on the browser or access sensitive, browser-based information, including a valid Security Assertion Markup Language (SAML) token.

What is the exposure or risk?

Once an attacker gains access to the SAML tokens, they can then be used to establish remote access VPN sessions with the affected user’s privilege to access local internal networks when a victim visits a website under their control. Cisco did mention that in the case where an attacker is attempting to reach individual hosts and services behind the VPN headend, they are required to have additional credentials before successful access is granted.

What are the recommendations?

Barracuda MSP recommends the following actions to mitigate the effects of CVE-2024-20337:

  • Determine whether the VPN headend is configured to use the SAML External Browser Feature by using the show running-config tunnel-group command in the Cisco ASA or FTD CLI. The displayed results will indicate if the SAML External Browser feature is enabled.
  • To make sure their endpoints are secure, IT teams should update their software accordingly based on the version information below:
Cisco Secure Client Release First Fixed Release
Earlier than 4.10.04065 Not vulnerable.
4.10.04065 and later 4.10.08025
5.0 Migrate to a fixed release.


For more in-depth information on the recommendations, please visit the following links:

If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

Share This:
Zachary Beaudet

Posted by Zachary Beaudet

Zachary is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Zachary supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *