Cisco IOS Bugs Allow Unauthenticated, Remote DoS Attacks

Cisco has released security updates for its flagship IOS and IOS XE operating system software for networking gear, as well as patches for its Access Point software.

The company's security update for Cisco IOS mitigates a total of 14 vulnerabilities, 10 of which are denial-of-service (DoS) bugs that can cause system crashes, unexpected reloads, and heap overflow. The most severe of the high-risk DoS bugs all allow exploitation by unauthenticated, remote attackers.

The other bugs allow privilege escalation, command injection, and access control list bypass.

Cisco's Access Point Software updates are for a secure boot bypass vulnerability (CVE-2024-20265), as well as another denial of service vulnerability (CVE-2024-20271). The former is "a vulnerability in the boot process [that] could allow an unauthenticated, physical attacker to bypass the Cisco Secure Boot functionality and load a software image that has been tampered with on an affected device," according to the advistory.

CISA issued a follow-up alert encouraging administrators to update their systems as soon as possible.