CVE-2024-20424 (CVSS 9.9): Cisco FMC Software Vulnerability Grants Attackers Root Access
Cisco has issued a critical security advisory warning of a command injection vulnerability in its Secure Firewall Management Center (FMC) Software. Tracked as CVE-2024-20424 and assigned a CVSS score of 9.9, this vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges.
This vulnerability is rooted in insufficient input validation of certain HTTP requests within the web-based management interface of Cisco FMC. If successfully exploited, an authenticated, remote attacker could execute arbitrary commands with root-level permissions on the underlying operating system of the Cisco FMC device, or on any managed Cisco Firepower Threat Defense (FTD) devices.
As Cisco explains in its security advisory, “an attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device.” This means that an attacker with credentials for a low-level user account, such as a Security Analyst (Read Only), could escalate their access to execute highly privileged commands on the system, potentially leading to full control over the device.
This vulnerability affects all versions of Cisco FMC Software, regardless of device configuration. This means a wide range of organizations relying on Cisco FMC for firewall management are potentially at risk.
Unfortunately, there are no workarounds that can mitigate this vulnerability. Cisco has made it clear in their advisory that patching is the only way to fully protect against this exploit.
Cisco has acted swiftly to release software updates addressing CVE-2024-20424, and users are urged to apply these updates without delay.
While Cisco’s Product Security Incident Response Team (PSIRT) has not reported any known malicious exploitation in the wild, the severity of this vulnerability makes it a high-priority target for attackers.
