Cisco has released security vulnerabilities impacting its ThousandEyes Endpoint Agent for macOS and RoomOS, as well as its Snort detection engine used in multiple products.
Both advisories, published on January 8 and updated on January 13, 2025, underscore the need for administrators to urgently deploy software updates to mitigate potential risks.
ThousandEyes Endpoint Agent Certificate Validation Vulnerability
Cisco identified a certificate validation flaw in the ThousandEyes Endpoint Agent for macOS and RoomOS, as detailed in advisory ID: cisco-sa-thousandeyes-cert-pqtJUv9N.
This vulnerability, assigned CVE-2025-20126, has a CVSS score of 4.8 (Medium) and stems from improper certificate validation routines for hosted metrics services.
If exploited, the flaw could allow an unauthenticated attacker to intercept or manipulate metrics information by masquerading as a trusted host using a crafted certificate.
This attack, known as an on-path attack (formerly “man-in-the-middle”), could disrupt secure communications between the client and remote metrics services.
Affected Products
- Cisco ThousandEyes Endpoint Agent for macOS.
- RoomOS devices running affected versions.
Cisco has confirmed that Windows-based ThousandEyes Endpoint Agents are not impacted.
Cisco has addressed the issue with software updates:
- The vulnerability is fixed in Cisco ThousandEyes Agent Release 1.206.3 for macOS.
- For RoomOS, the fix is included in Release 1.207.21, with the first corrected RoomOS version being 11.22.1.0.
Administrators are urged to upgrade to these versions immediately. No workarounds exist, although Cisco suggests that disabling the agent instant test feature may help mitigate risks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Snort Rate Filter Bypass Vulnerability
A separate vulnerability related to the Snort detection engine, widely used in Cisco products, was disclosed under advisory ID: cisco-sa-snort-rf-bypass-OY8f3pnM. Assigned CVE-2024-20342, the flaw has a CVSS score of 5.8 (Medium) and could allow attackers to bypass rate-limiting filters.
The issue arises from an incorrect connection count comparison in Snort’s rate filtering feature. By sending traffic at a rate exceeding the configured limit, an attacker could bypass protections provided by the rate filter, potentially allowing unauthorized traffic into a network.
- Open Source Snort 2 and Snort 3.
- Cisco products running vulnerable releases of FirePOWER Services or Firepower Threat Defense (FTD) Software with Snort enabled.
Cisco has advised customers to assess the vulnerability’s impact on their environment and deploy fixes according to their own risk mitigation strategies.
Cisco has released updates addressing this issue, which are included in its October 2024 Security Advisory Bundled Publication.
No Active Exploits Detected
As of the advisory updates, Cisco’s Product Security Incident Response Team (PSIRT) has found no evidence of active exploitation for either vulnerability. However, these issues pose significant security risks, and administrators are strongly encouraged to apply available patches immediately.
For additional information, customers can reach out to Cisco’s Technical Assistance Center or visit the Cisco Security Advisories page. Keeping systems updated remains essential for maintaining a secure environment.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates