CVE-2020-12142

moderate-risk
Published 2020-05-05

1. IPSec UDP key material can be retrieved from machine-to-machine interfaces and human-accessible interfaces by a user with admin credentials. Such a user, with the required system knowledge, could use this material to decrypt in-flight communication. 2. The vulnerability requires administrative access and shell access to the EdgeConnect appliance. An admin user can access IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell.

Do I need to act?

-
0.21% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / HIGH complexity

Affected Products (20)

Unity Edgeconnect For Amazon Web Services
Unity Edgeconnect For Azure
Unity Edgeconnect For Google Cloud Platform
Vx-500 Firmware
Vx-1000 Firmware
Vx-2000 Firmware
Vx-3000 Firmware
Vx-5000 Firmware
Vx-6000 Firmware
Vx-7000 Firmware
Vx-9000 Firmware
Vx-8000 Firmware
Nx-700 Firmware
Nx-1000 Firmware
Nx-2000 Firmware
Nx-3000 Firmware
Nx-5000 Firmware
Nx-6000 Firmware
Nx-7000 Firmware

Affected Vendors

Silver-Peak

References (2)

Vendor Advisory https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notic...
Vendor Advisory https://www.silver-peak.com/sites/default/files/advisory/security_advisory_notic...
37
/ 100
moderate-risk
Severity 15/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 21/34 · High