Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Session Takeover and Denial of Service Vulnerability
TL;DR 📌
A vulnerability has been identified in the Cisco AnyConnect VPN server of Cisco Meraki MX and Z Series Teleworker Gateway devices. This flaw could allow an unauthenticated remote attacker to hijack VPN sessions or cause denial of service (DoS) conditions for users. Cisco has released software updates to address this issue, and no workarounds are available.
What happened 🕵️♂️
A vulnerability in the Cisco AnyConnect VPN server could enable an unauthenticated remote attacker to hijack an AnyConnect VPN session or induce a denial of service (DoS) condition for users of the service. This vulnerability stems from weak entropy during the VPN authentication process and a race condition within the same process. Attackers can exploit this flaw by guessing an authentication handler and sending crafted HTTPS requests to the affected device.
Affected products 🖥️
The following Cisco Meraki products are affected if they are running a vulnerable release of Cisco Meraki MX firmware and have Cisco AnyConnect VPN enabled:
- MX64
- MX64W
- MX65
- MX65W
- MX67
- MX67C
- MX67W
- MX68
- MX68CW
- MX68W
- MX75
- MX84
- MX85
- MX95
- MX100
- MX105
- MX250
- MX400
- MX450
- MX600
- vMX
- Z3
- Z3C
- Z4
- Z4C
Note: Cisco AnyConnect VPN is supported on Cisco Meraki MX and Z Series devices running Cisco Meraki MX firmware releases 16.2 and later, except for MX64 and MX65, which require firmware releases 17.6 and later.
Fixed software 🔧
Upgrade to at least the first fixed release in your train (or later):
| Product / Release Train | First Fixed Release | Notes |
|---|---|---|
| ISE / ISE-PIC 16.2 | Migrate to a fixed release. | |
| ISE / ISE-PIC 17 | Migrate to a fixed release. | |
| ISE / ISE-PIC 18.1 | 18.107.13 | |
| ISE / ISE-PIC 18.2 | 18.211.3 | |
| ISE / ISE-PIC 1.1 | Updated fixed release availability. | |
| ISE / ISE-PIC 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds that address this vulnerability. Cisco Meraki recommends upgrading devices to a fixed software release. Disabling Cisco AnyConnect VPN will eliminate the attack vector for this vulnerability, but this should be evaluated based on your specific environment and needs.
Risk in context 🎯
The vulnerability has a CVSS score of 5.8, categorized as medium severity. While the risk is not classified as critical, it is significant enough to warrant immediate attention, especially for organizations relying on the AnyConnect VPN service for secure remote access.
Fast facts ⚡
- Vulnerability ID: CVE-2024-20509
- CVSS Score: 5.8 (Medium)
- Initial Release Date: October 2, 2024
- Current Release Date: June 2, 2025
- Exploitation Awareness: No known malicious use reported.
For leadership 🧭
Organizations using affected Cisco Meraki devices should prioritize upgrading to the fixed software releases to mitigate the risk of session hijacking and denial of service attacks. Regularly consult the Cisco Security Advisories page for updates and ensure your IT teams are aware of the vulnerability and its implications.