CVE-2024-20502 Overview
CVE-2024-20502 is a denial of service (DoS) vulnerability in the Cisco AnyConnect VPN server component of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices. An unauthenticated, remote attacker can send a series of crafted HTTPS requests to the VPN server and force it to stop accepting new SSL VPN connections. Existing SSL VPN sessions remain unaffected, and the server recovers gracefully once the attack traffic stops.
The root cause is insufficient resource management while establishing SSL VPN sessions, classified under CWE-400 (Uncontrolled Resource Consumption). The flaw affects a broad set of Meraki MX and Z Series firmware images used in branch, retail, and teleworker deployments.
Critical Impact
Remote unauthenticated attackers can halt new SSL VPN connection establishment on affected Cisco Meraki MX and Z Series gateways, disrupting remote worker access.
Affected Products
- Cisco Meraki MX Series firmware (MX64/MX64W, MX65/MX65W, MX67/MX67C/MX67W, MX68/MX68CW/MX68W, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, MX600)
- Cisco Meraki Z Series Teleworker Gateways firmware (Z3, Z3C, Z4, Z4C)
- Cisco Meraki vMX virtual appliance firmware
Discovery Timeline
- 2024-10-02 - CVE-2024-20502 published to NVD
- 2025-06-04 - Last updated in NVD database
Technical Details for CVE-2024-20502
Vulnerability Analysis
The vulnerability resides in the Cisco AnyConnect VPN server that handles SSL VPN session establishment on Meraki MX and Z Series devices. The server fails to constrain resources allocated during the SSL/TLS handshake and session setup phase. By repeatedly initiating new VPN sessions through crafted HTTPS requests, an attacker exhausts the resources reserved for new connection establishment.
Once the resource pool is depleted, the server stops accepting additional SSL VPN connections. Remote users attempting to connect through AnyConnect cannot establish a tunnel for the duration of the attack. The Cisco advisory confirms that already-authenticated VPN sessions continue to function during the condition. When attack traffic ceases, the AnyConnect VPN server recovers without administrator intervention.
Root Cause
The underlying defect is uncontrolled resource consumption [CWE-400] in the SSL VPN session setup path. The implementation does not enforce sufficient rate limits or per-source quotas on session-initiation requests. Each crafted HTTPS request consumes server-side state, and the cumulative state pressure denies service to legitimate clients attempting new connections.
Attack Vector
Exploitation requires only network reachability to the SSL VPN listener of an affected Meraki appliance. No credentials, no user interaction, and no prior foothold are needed. An attacker sends a sustained volume of crafted HTTPS requests to the VPN endpoint, triggering excessive session-establishment work until the server refuses new connections. Because internet-facing SSL VPN is the standard deployment model for these devices, exposure is inherent to the product role.
No public proof-of-concept code or exploit is currently published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.348%.
Detection Methods for CVE-2024-20502
Indicators of Compromise
- Sudden spike in inbound HTTPS connections to the AnyConnect VPN listener from one or a small number of source IP addresses.
- Meraki Dashboard alerts or syslog entries indicating that the AnyConnect VPN server stopped accepting new connections while existing sessions continue.
- Helpdesk reports of remote users unable to establish AnyConnect SSL VPN tunnels while site-to-site or active tunnels remain healthy.
Detection Strategies
- Monitor SSL VPN connection-establishment metrics on Meraki MX and Z Series devices for unusual rates of failed or half-open sessions.
- Correlate perimeter firewall and edge router flow logs for high-volume HTTPS traffic targeting the AnyConnect listener port from non-corporate source ranges.
- Establish baselines for legitimate AnyConnect connection rates and alert on deviations during business hours and after-hours periods.
Monitoring Recommendations
- Forward Meraki Dashboard event logs and syslog to a centralized SIEM for correlation with network telemetry.
- Track the count of active SSL VPN tunnels versus connection-attempt rate to detect attempts that never complete the handshake.
- Configure alerting for repeated TLS handshake initiations from the same source IP toward the VPN concentrator.
How to Mitigate CVE-2024-20502
Immediate Actions Required
- Apply the fixed firmware released by Cisco for Meraki MX, vMX, and Z Series devices as described in the Cisco Security Advisory cisco-sa-meraki-mx-vpn-dos-QTRHzG2.
- Verify firmware upgrade status across all Meraki MX and Z Series devices in the Meraki Dashboard inventory.
- Restrict SSL VPN exposure to only required source networks where operationally feasible.
Patch Information
Cisco has released fixed firmware versions for affected Meraki MX, vMX, and Z Series Teleworker Gateway devices. Refer to the Cisco Security Advisory cisco-sa-meraki-mx-vpn-dos-QTRHzG2 for the specific fixed releases mapped to each platform. Meraki firmware is typically deployed through the cloud-managed Dashboard, and administrators should confirm that affected networks are scheduled to receive the patched build.
Workarounds
- Cisco has not published a specific workaround for this vulnerability. Upgrading to fixed firmware is the supported remediation per the vendor advisory.
- Where patching is delayed, limit AnyConnect VPN reachability through upstream access control lists or geolocation restrictions to reduce the attack surface.
- Maintain redundant remote access pathways (such as client-based IPsec or alternate concentrators) so that disruption of the AnyConnect listener does not eliminate all remote connectivity options.
# Configuration example: verify Meraki firmware status via Dashboard API
curl -L -H "X-Cisco-Meraki-API-Key: $MERAKI_API_KEY" \
"https://api.meraki.com/api/v1/organizations/$ORG_ID/firmware/upgrades"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
