Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities

🚨 SEVERITY: HIGH — CVSS 8.6 Security Advisory

TL;DR 📌

Cisco Meraki MX and Z Series Teleworker Gateway devices are affected by multiple denial of service (DoS) vulnerabilities in the AnyConnect VPN server. These vulnerabilities could allow an unauthenticated attacker to disrupt VPN services. Cisco has released software updates to address these issues, and there are no workarounds available.

What happened 🕵️‍♂️

Multiple vulnerabilities have been identified in the Cisco AnyConnect VPN server of Cisco Meraki MX and Z Series Teleworker Gateway devices. An unauthenticated, remote attacker could exploit these vulnerabilities to cause a denial of service (DoS) condition, resulting in the failure of established SSL VPN connections and preventing new connections from being established.

Affected products 🖥️

The following Cisco Meraki products are affected if they are running a vulnerable release of Cisco Meraki MX firmware with Cisco AnyConnect VPN enabled:

  • MX64
  • MX64W
  • MX65
  • MX65W
  • MX67
  • MX67C
  • MX67W
  • MX68
  • MX68CW
  • MX68W
  • MX75
  • MX84
  • MX85
  • MX95
  • MX100
  • MX105
  • MX250
  • MX400
  • MX450
  • MX600
  • vMX
  • Z3
  • Z3C
  • Z4
  • Z4C

Note: Cisco AnyConnect VPN is supported on Cisco Meraki MX Series and Z Series devices running firmware releases 16.2 and later, except for MX64 and MX65, which require firmware releases 17.6 and later.

Fixed software 🔧

Upgrade to at least the first fixed release in your train (or later):

Product / Release Train First Fixed Release Notes
ISE / ISE-PIC 16.2 Migrate to a fixed release.
ISE / ISE-PIC 17 Migrate to a fixed release.
ISE / ISE-PIC 18.1 18.107.12
ISE / ISE-PIC 18.2 18.211.2
ISE / ISE-PIC 1.1 Updated fixed release availability.
ISE / ISE-PIC 1.0 Initial public release.

Workarounds 🧯

There are no workarounds that effectively address these vulnerabilities. Cisco Meraki recommends disabling Cisco AnyConnect VPN as a temporary mitigation, but this may impact functionality. Customers should evaluate the applicability of this mitigation in their environments.

Risk in context 🎯

The highest CVSS score for these vulnerabilities is 8.6, indicating a high severity level. Exploitation could lead to significant disruption of VPN services, affecting remote users’ ability to connect securely. Organizations using affected devices should prioritize applying the recommended software updates to mitigate these risks.

Fast facts ⚡

  • Advisory ID: cisco-sa-meraki-mx-vpn-dos-QTRHzG2
  • Initial Release Date: October 2, 2024
  • Current Release Date: June 2, 2025
  • CVSS Base Score: 8.6 (High)
  • Vulnerabilities: CVE-2024-20498, CVE-2024-20499, CVE-2024-20501, CVE-2024-20502, CVE-2024-20513

For leadership 🧭

It is crucial for leadership to understand the implications of these vulnerabilities on organizational security and operations. The potential for denial of service attacks on VPN services could disrupt remote work capabilities. Immediate action is recommended to upgrade affected devices and ensure the security of remote access solutions. Regularly consult Cisco’s advisories for updates and best practices in maintaining device security.