CVE-2024-20360

Q: What is the severity of CVE-2024-20360?

CVE-2024-20360 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in Cisco Firepower Management Center (FMC) allows authenticated attackers with at least Read Only credentials to execute arbitrary SQL queries. Successful exploitation could lead to data theft, arbitrary command execution, and privilege escalation to root. Organizations using vulnerable FMC versions are affected.

8.8 HIGH

Remote Code Execution SQL Injection

📋 TL;DR

This SQL injection vulnerability in Cisco Firepower Management Center (FMC) allows authenticated attackers with at least Read Only credentials to execute arbitrary SQL queries. Successful exploitation could lead to data theft, arbitrary command execution, and privilege escalation to root. Organizations using vulnerable FMC versions are affected.

💻 Affected Systems

Products:

Cisco Firepower Management Center (FMC)

Versions: Multiple versions prior to 7.4.1

Operating Systems: Cisco FMC appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with vulnerable versions are affected. Requires at least Read Only user credentials for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains root access, exfiltrates all database data, executes arbitrary commands on the underlying OS, and maintains persistent access to the entire network security management system.

🟠

Likely Case

Data exfiltration from the FMC database including configuration data, network policies, and potentially sensitive information, followed by privilege escalation within the management system.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and monitoring that detects SQL injection attempts before successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but SQL injection is straightforward once authenticated. Attackers could use automated tools like sqlmap.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4.1 and later

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download and install FMC version 7.4.1 or later from Cisco Software Center. 3. Apply the update through the FMC web interface. 4. Reboot the appliance as required. 5. Verify successful update and functionality.

🔧 Temporary Workarounds

Restrict User Access

all

Limit FMC access to only necessary administrative users and implement principle of least privilege.

Network Segmentation

all

Place FMC management interface on isolated network segment with strict access controls.

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection protection rules in front of FMC
Enable detailed logging and monitoring for SQL injection attempts and unusual database queries

🔍 How to Verify

Check if Vulnerable:

Check FMC version via web interface: System > Updates > Version Information. If version is below 7.4.1, system is vulnerable.

Check Version:

ssh admin@fmc-hostname 'show version' or check web interface at System > Updates > Version Information

Verify Fix Applied:

After patching, verify version shows 7.4.1 or later in System > Updates > Version Information. Test SQL injection attempts should be blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in FMC logs
Multiple failed authentication attempts followed by SQL-like patterns in requests
Unexpected database access patterns

Network Indicators:

SQL injection patterns in HTTP requests to FMC management interface
Unusual outbound connections from FMC appliance

SIEM Query:

source="fmc_logs" AND ("sql" OR "union" OR "select" OR "insert" OR "delete" OR "update" OR "--" OR "' OR '1'='1")

📊 Metadata

CVE ID: CVE-2024-20360

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 22, 2024

Last Updated: April 11, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

Secure Firewall Management Center by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict User Access

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities