QID 317202

QID 317202: Cisco Firepower Software for ASA Firepower Module Command Injection Vulnerability (cisco-sa-asasfr-cmd-inject-PE4GfdG)

A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user.

Affected Products
Prior to 6.2.3.19
6.3.0 to 6.4.0.15
6.5.0 to 6.6.7
6.7.0 to 7.0.2.1

An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module.

  • CVSS V3 rated as High - 6.5 severity.
  • CVSS V2 rated as High - 7.7 severity.
  • Solution

    Customers are advised to refer to cisco-sa-ftd-sidns-bypass-3PzA5pO for more information.

    CVEs related to QID 317202

    Software Advisories
    Advisory ID Software Component Link
    cisco-sa-asasfr-cmd-inject-PE4GfdG URL Logo tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG