CVE-2020-3297

Cisco Small Business Smart and Managed Switches Session Management Vulnerability

Description

A vulnerability in session management for the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to defeat authentication protections and gain unauthorized access to the management interface. The attacker could obtain the privileges of the highjacked session account, which could include administrator privileges on the device. The vulnerability is due to the use of weak entropy generation for session identifier values. An attacker could exploit this vulnerability to determine a current session identifier through brute force and reuse that session identifier to take over an ongoing session. In this way, an attacker could take actions within the management interface with privileges up to the level of the administrative user.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 3.0 •
CVSS 2.0 •
EPSS 5.44% Top 15%
Vendor Advisory cisco.com
Affected: Cisco Cisco Small Business 200 Series Smart Switches
Published at:
Updated at:

References

Link Tags
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbswitch-session-JZAS5jnY vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-3297?
CVE-2020-3297 has been scored as a critical severity vulnerability.
How to fix CVE-2020-3297?
To fix CVE-2020-3297, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-3297 being actively exploited in the wild?
It is possible that CVE-2020-3297 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~5% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-3297?
CVE-2020-3297 affects Cisco Cisco Small Business 200 Series Smart Switches.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.