A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-20337

CVE-2024-20337: Cisco Secure Client XSS Vulnerability

CVE-2024-20337 is a cross-site scripting flaw in Cisco Secure Client's SAML authentication that allows attackers to execute malicious scripts and steal authentication tokens. This post covers technical details, affected versions, impact, and mitigation strategies.

Published: January 28, 2026

CVE-2024-20337 Overview

A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user-supplied input during the VPN session establishment process.

An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the stolen token to establish a remote access VPN session with the privileges of the affected user.

Critical Impact

Successful exploitation allows attackers to steal valid SAML tokens and establish unauthorized VPN sessions, potentially gaining access to corporate networks with the privileges of targeted users.

Affected Products

  • Cisco Secure Client (Windows)
  • Cisco Secure Client (macOS)
  • Cisco Secure Client (Linux)

Discovery Timeline

  • 2024-03-06 - CVE-2024-20337 published to NVD
  • 2025-07-22 - Last updated in NVD database

Technical Details for CVE-2024-20337

Vulnerability Analysis

CVE-2024-20337 is classified as CWE-93 (Improper Neutralization of CRLF Sequences), commonly known as HTTP Response Splitting or CRLF Injection. The vulnerability exists in how Cisco Secure Client processes user-supplied input during SAML-based authentication flows.

CRLF injection occurs when an application fails to properly sanitize carriage return (\r or %0D) and line feed (\n or %0A) characters from user input. In the context of SAML authentication, these characters can be injected to manipulate HTTP responses, potentially leading to script execution or information disclosure.

The attack requires user interaction—specifically, the victim must click a maliciously crafted link while in the process of establishing a VPN session. This social engineering component is necessary for exploitation but does not significantly diminish the risk given the prevalence of phishing attacks.

Root Cause

The root cause of this vulnerability is insufficient validation of user-supplied input in the SAML authentication handler. When processing SAML responses or redirects, the Cisco Secure Client does not adequately sanitize CRLF sequences, allowing an attacker to inject arbitrary HTTP headers or content.

This insufficient input validation allows attackers to break out of the intended response structure and inject malicious content that the browser interprets as legitimate response data.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker would typically:

  1. Craft a malicious URL containing CRLF sequences embedded in parameters processed during SAML authentication
  2. Distribute this link to targeted users through phishing emails, malicious websites, or social engineering
  3. When a victim clicks the link while establishing a VPN session, the injected CRLF sequences manipulate the HTTP response
  4. The attacker's injected script executes in the victim's browser context, enabling theft of the SAML token
  5. Using the stolen token, the attacker can authenticate to the VPN as the victim

The vulnerability allows for cross-site scripting (XSS) attacks within the authentication flow and can expose sensitive browser-based information including valid SAML tokens. However, individual hosts and services behind the VPN headend would still require additional credentials for successful access.

Detection Methods for CVE-2024-20337

Indicators of Compromise

  • Unusual or malformed URLs containing encoded CRLF sequences (%0D%0A, %0D, %0A) in VPN authentication requests
  • Suspicious SAML authentication attempts from unexpected geographic locations or IP addresses
  • Multiple VPN sessions established from different locations using the same user credentials in short timeframes
  • Browser console errors or unusual script execution during VPN authentication flows

Detection Strategies

  • Deploy web application firewall (WAF) rules to detect and block requests containing CRLF injection patterns
  • Monitor authentication logs for anomalous SAML token usage or session establishment patterns
  • Implement network detection rules to identify crafted URLs targeting Cisco Secure Client authentication endpoints
  • Use endpoint detection and response (EDR) solutions to monitor for suspicious browser activity during VPN authentication

Monitoring Recommendations

  • Enable detailed logging for SAML authentication events in Cisco ASA or Firepower VPN headends
  • Configure alerts for VPN sessions established shortly after receiving authentication from unusual sources
  • Monitor for phishing campaigns targeting your organization that may distribute malicious VPN authentication links
  • Review network traffic for patterns consistent with CRLF injection attempts

How to Mitigate CVE-2024-20337

Immediate Actions Required

  • Update Cisco Secure Client to the latest patched version immediately
  • Review VPN access logs for any suspicious authentication activity
  • Alert users about potential phishing attempts involving VPN authentication links
  • Implement additional authentication factors for VPN access where possible

Patch Information

Cisco has released security updates to address this vulnerability. Organizations should apply the patches as outlined in the Cisco Security Advisory. The advisory contains specific version information and upgrade paths for affected Cisco Secure Client installations across Windows, macOS, and Linux platforms.

Administrators should prioritize patching based on the network exposure of their VPN infrastructure and the sensitivity of resources accessible through VPN connections.

Workarounds

  • Educate users to only initiate VPN connections through official Cisco Secure Client interfaces rather than clicking external links
  • Implement network-level filtering to block URLs containing suspicious CRLF-encoded characters targeting authentication endpoints
  • Consider implementing conditional access policies that restrict VPN authentication to trusted devices and locations
  • Deploy email security solutions to filter phishing attempts containing malicious VPN authentication links
bash
# Verify Cisco Secure Client version on Windows
"C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe" version

# Verify Cisco Secure Client version on macOS/Linux
/opt/cisco/secureclient/bin/vpn version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechCisco Secure Client
  • SeverityHIGH
  • CVSS Score8.2
  • EPSS Probability4.95%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-93
  • Vendor Resources
  • Cisco Security Advisory
  • Related CVEs
  • CVE-2025-20206
  • CVE-2024-20474
  • CVE-2024-20391
  • CVE-2024-3661
  • CVE-2024-20338
  • CVE-2023-20241
  • CVE-2023-20240
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use