The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-20465

CVE-2024-20465: Cisco IOS ACL Bypass Vulnerability

CVE-2024-20465 is an authentication bypass flaw in Cisco IOS Software affecting Industrial Ethernet 4000, 4010, and 5000 Series Switches that allows attackers to circumvent ACL protections. This article covers technical details.

Updated: January 22, 2026

CVE-2024-20465 Overview

A vulnerability in the access control list (ACL) programming of Cisco IOS Software running on Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches could allow an unauthenticated, remote attacker to bypass a configured ACL. This Authorization Bypass vulnerability stems from the incorrect handling of IPv4 ACLs on switched virtual interfaces (SVIs) when an administrator enables and disables Resilient Ethernet Protocol (REP).

Critical Impact

An unauthenticated remote attacker can bypass ACL protections on affected Cisco Industrial Ethernet switches, potentially gaining unauthorized network access to protected segments.

Affected Products

  • Cisco IOS Software version 15.2(8)E2
  • Cisco IOS Software version 15.2(8)E3
  • Cisco IOS Software version 15.2(8)E4
  • Cisco IOS Software version 15.2(8)E5
  • Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches

Discovery Timeline

  • September 25, 2024 - CVE CVE-2024-20465 published to NVD
  • October 24, 2024 - Last updated in NVD database

Technical Details for CVE-2024-20465

Vulnerability Analysis

This vulnerability is classified as CWE-284 (Improper Access Control), affecting the ACL programming logic within Cisco IOS Software. The flaw resides in how the switch handles IPv4 ACLs applied to switched virtual interfaces (SVIs) during specific operational state changes of the Resilient Ethernet Protocol (REP).

When an administrator enables and subsequently disables REP on an affected switch, the ACL configuration on SVIs enters an inconsistent state. The underlying ACL enforcement mechanism fails to properly reinitialize or maintain the configured access rules, creating a window where traffic that should be denied by the ACL is permitted to traverse the switch.

This vulnerability is particularly concerning in industrial environments where Cisco Industrial Ethernet switches are deployed to segment and protect operational technology (OT) networks from unauthorized access.

Root Cause

The root cause lies in the incorrect handling of IPv4 ACL state during REP configuration changes. When REP is toggled (enabled then disabled), the ACL programming on SVIs is not properly restored to its intended configuration. This results in a race condition or state synchronization issue between the REP protocol handler and the ACL enforcement engine, leaving the switch in a permissive state that does not reflect the administrator's intended security policy.

Attack Vector

An attacker can exploit this vulnerability remotely over the network without authentication. The exploitation scenario involves:

  1. The attacker identifies a Cisco Industrial Ethernet 4000, 4010, or 5000 Series Switch running a vulnerable version of Cisco IOS
  2. The attacker monitors or infers that REP has been toggled on the device (potentially through network reconnaissance or after administrative maintenance windows)
  3. The attacker sends traffic through the affected switch that would normally be blocked by the configured ACL
  4. Due to the ACL bypass condition, the traffic is permitted, allowing unauthorized access to protected network segments

The vulnerability affects network traffic filtering, which means attackers could potentially reach sensitive industrial control systems, management interfaces, or other protected resources behind the switch.

Detection Methods for CVE-2024-20465

Indicators of Compromise

  • Unexpected network traffic traversing SVIs that should be blocked by configured ACLs
  • Log entries indicating REP configuration changes followed by anomalous traffic patterns
  • Network connections to protected segments from unauthorized sources
  • ACL hit counters not incrementing for traffic that should be matched and denied

Detection Strategies

  • Implement network traffic monitoring on segments protected by Cisco Industrial Ethernet switches to identify unauthorized access attempts
  • Review switch logs for REP enable/disable events and correlate with any subsequent unauthorized traffic
  • Deploy network intrusion detection systems (IDS) to monitor for traffic patterns that violate expected ACL policies
  • Conduct periodic ACL configuration audits to verify enforcement matches intended policy

Monitoring Recommendations

  • Enable syslog forwarding from affected switches to a centralized SIEM for real-time monitoring of REP state changes
  • Configure SNMP traps for ACL violations and configuration changes on industrial Ethernet switches
  • Implement NetFlow or equivalent traffic analysis on upstream devices to detect anomalous traffic patterns through protected segments
  • Establish baseline traffic patterns for industrial networks and alert on deviations

How to Mitigate CVE-2024-20465

Immediate Actions Required

  • Review the Cisco Security Advisory for detailed guidance and fixed software versions
  • Identify all Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches in your environment running vulnerable IOS versions
  • Plan and schedule software upgrades to a fixed version as recommended by Cisco
  • Avoid toggling REP on affected switches until the vulnerability is remediated

Patch Information

Cisco has released a security advisory addressing this vulnerability. Administrators should consult the Cisco Security Advisory cisco-sa-repacl-9eXgnBpD for specific fixed software versions and upgrade instructions. The affected IOS versions include 15.2(8)E2, 15.2(8)E3, 15.2(8)E4, and 15.2(8)E5.

Workarounds

  • Avoid enabling or disabling REP on affected switches until the software is upgraded to a fixed version
  • If REP must be toggled, manually verify ACL enforcement is functioning correctly afterward by inspecting ACL hit counters and testing traffic filtering
  • Implement compensating controls such as additional ACLs on upstream devices or network segmentation through other means
  • Consider deploying network access control (NAC) solutions to provide an additional layer of authorization
bash
# Verify ACL configuration and hit counters on affected switch
show ip access-lists
show interfaces <interface-name> | include access-group
# After any REP configuration change, verify ACL is still enforcing
show running-config | section access-list

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechCisco Ios
  • SeverityMEDIUM
  • CVSS Score5.8
  • EPSS Probability0.24%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-284
  • NVD-CWE-noinfo
  • Vendor Resources
  • Cisco Security Advisory
  • Related CVEs
  • CVE-2025-20160: Cisco IOS Auth Bypass Vulnerability
  • CVE-2023-20186: Cisco IOS Auth Bypass Vulnerability
  • CVE-2026-20086: Cisco IOS XE Wireless Controller DoS Flaw
  • CVE-2026-20012: Cisco IKEv2 DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English