CVE-2021-34762
📋 TL;DR
This vulnerability allows authenticated attackers to perform directory traversal attacks on Cisco Firepower Management Center (FMC) Software via the web management interface. Attackers can read or write arbitrary files on affected devices. Only users with valid credentials can exploit this vulnerability.
💻 Affected Systems
- Cisco Firepower Management Center (FMC) Software
📦 What is this software?
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
Firepower Management Center Virtual Appliance by Cisco
View all CVEs affecting Firepower Management Center Virtual Appliance →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file write leading to remote code execution, configuration tampering, or credential theft.
Likely Case
Unauthorized file access leading to sensitive information disclosure, configuration modification, or privilege escalation.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires valid credentials and access to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.6.5.2, 6.7.0.2, 7.0.0 or later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-dir-traversal-95UyW5tk
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate patch from Cisco Software Center. 3. Apply patch via FMC web interface or CLI. 4. Restart FMC services as prompted.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to FMC web interface to trusted IP addresses only.
Configure firewall rules to restrict access to FMC management IP/ports
Enforce Strong Authentication
allImplement multi-factor authentication and strong password policies for FMC accounts.
Configure TACACS+/RADIUS with MFA for FMC authentication
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FMC from untrusted networks
- Enable comprehensive logging and monitoring for directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check FMC version via web interface (System > Updates > Version) or CLI command 'show version'Check Version:
show version | include VersionVerify Fix Applied:
Verify version is 6.6.5.2, 6.7.0.2, 7.0.0 or later and test directory traversal attempts are blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences
- Unauthorized file access attempts in system logs
- Authentication logs showing credential use from unusual locations
Network Indicators:
- HTTPS requests to FMC with directory traversal patterns
- Unusual file transfer patterns from FMC
SIEM Query:
source="fmc_logs" AND (http_uri="*../*" OR http_uri="*..\\*" OR http_uri="*%2e%2e%2f*")