Cisco has disclosed a critical vulnerability (CVE pending) in its Meraki MX and Z Series devices that could allow authenticated attackers to disrupt VPN services.
The flaw, which affects devices with Cisco AnyConnect VPN enabled, permits remote denial-of-service (DoS) attacks by exploiting uninitialized variables during SSL VPN session setup.
Vulnerability Details
The issue stems from the improper initialization of a variable when establishing SSL VPN connections. Attackers with valid VPN credentials can send crafted attributes during session setup, triggering a restart of the Cisco AnyConnect VPN service.
This forces active VPN users to reconnect and may block new sessions during sustained attacks.
While services automatically recover after attacks cease, repeated exploitation could severely impact organizations relying on these devices for remote access.
Affected Products
The vulnerability impacts 23 Meraki models, including:
- MX64/MX65 series
- MX67/MX68 series
- MX95/MX105 enterprise-grade appliances
- Z3/Z4 teleworker gateways
Devices are only vulnerable if running Meraki MX firmware 16.2 or later with AnyConnect VPN enabled. Notably:
- MX64/MX65 require firmware 17.6+ to support AnyConnect
- MX400/MX600 models won’t receive fixes due to end-of-life status
Cisco confirms ASA, FTD, IOS, and Meraki Z1 devices remain unaffected.
Impact and Mitigation
Successful exploits cause:
- Immediately terminate active VPN sessions
- Temporary blockage of new connections
- No persistent configuration damage
Cisco has released patched firmware versions across multiple release branches:
| Firmware Branch | Fixed Version |
|---|---|
| 18.1 | 18.107.12 |
| 18.2 | 18.211.4 |
| 19.1 | 19.1.4 |
Administrators can verify AnyConnect status via Meraki Dashboard:
- Navigate to Security & SD-WAN > Configure > Client VPN (MX) or Teleworker Gateway > Configure > Client VPN (Z Series)
- Check the AnyConnect Settings tab
Security Response
Cisco’s Product Security Incident Response Team (PSIRT) discovered the flaw during internal testing, with no evidence of active exploitation.
The company emphasizes firmware best practices, advising:
- Immediate updates for supported devices
- Replacement plans for obsolete MX400/MX600 hardware
- Continuous monitoring of VPN connection logs
This vulnerability highlights the risks in SSL VPN implementations, particularly in widely deployed infrastructure like Cisco’s Meraki lineup.
With remote work still prevalent, organizations must prioritize patch deployment to maintain business continuity and secure remote access capabilities.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw, which affects devices with Cisco AnyConnect VPN enabled, permits remote denial-of-service (DoS) attacks by exploiting uninitialized variables during SSL VPN session setup.){kind=link}