Cisco on Wednesday announced patches for multiple vulnerabilities across its products, including a critical-severity flaw in Cisco Nexus Dashboard Fabric Controller (NDFC).

Tracked as CVE-2024-20432 (CVSS score of 9.9), the critical bug affects the REST API and web UI of NDFC and could allow an authenticated, remote attacker to execute arbitrary commands on an affected device with network-admin privileges.

“This vulnerability is due to improper user authorization and insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI,” Cisco explains in its advisory.

The security defect was resolved in Cisco NDFC version 12.2.2. According to Cisco, NDFC versions 11.5 and earlier and instances configured for SAN controller deployment are not affected.

NDFC version 12.2.2 also contains fixes for an improper path validation flaw that could allow an authenticated, remote attacker to upload malicious code on an affected device using the Secure Copy Protocol (SCP). Successful exploitation could lead to arbitrary code execution with root privileges.

Cisco also announced patches for multiple high- and medium-severity issues in Meraki MX and Meraki Z series teleworker gateway devices that could allow attackers to cause denial-of-service (DoS) conditions.

The bugs, three high-severity and three medium-severity, affect 25 Meraki products if they are running a vulnerable firmware release and have the AnyConnect VPN service enabled.

The high-severity vulnerabilities exist because client-supplied parameters are not sufficiently validated when establishing an SSL VPN session, allowing an attacker to send crafted requests and restart the AnyConnect VPN server, preventing SSL VPN connections from being established.

Insufficient resource management when establishing TLS/SSL or SSL VPN sessions and insufficient entropy for handlers used during SSL VPN session creation lead to three medium-severity flaws that could allow attackers to prevent or terminate sessions.

Cisco Meraki MX firmware version 18.211.2 resolves the vulnerability. Devices running versions 16.2 and later and 17.0 and later of the firmware should be migrated to the patched release, Cisco says.

On Wednesday, the tech giant also warned that the RV340, RV340W, RV345, and RV345P router models, and the RV042, RV042G, RV320, and RV325 business routers, which have been discontinued, are plagued by high- and medium-severity vulnerabilities leading to elevation of privilege, remote code execution, and DoS.

“Cisco has not released and will not release software updates that address these vulnerabilities because the affected products are past their respective dates for End of Software Maintenance Releases,” the company said.

However, software updates were released to address medium-severity defects in Nexus Dashboard Orchestrator, Nexus Dashboard and NDFC, Nexus Dashboard Insights, Meraki MX and Meraki Z gateways, Identity Services Engine (ISE), Expressway-C and Expressway-E devices, and UCS B-series, UCS Managed C-series, and UCS X-series servers.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. However, attackers are known to have exploited flaws in Cisco products for which patches had been released, and users are advised to update their installations as soon as possible or, where needed, to replace discontinued products with supported ones. Additional information can be found on Cisco’s security advisories page.

Related: Cisco Patches High-Severity Vulnerabilities in IOS Software

Related: AI, Cybersecurity Top Investment Areas for Industrial Organizations: Cisco

Related: Researcher Finds Several Vulnerabilities in Cisco Small Business Switches

Related: Cisco Patches Several Vulnerabilities in SD-WAN Solution