Cisco Firepower Device Manager Software Flaw Let Attackers Execute Remote Code

A vulnerability tracked as (CVE-2021-1518) rated medium severity, found in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software, might allow an attacker to execute arbitrary code on the underlying operating system of an affected device.

The flaw has a CVSS score of 6.3, reported by security researchers of Positive Technologies, Nikita Abramov, and Mikhail Klyuchnikov.

To exploit this vulnerability, an attacker sends a crafted HTTP request to the API subsystem of an affected device. The flaw could be exploited by an attacker having valid user credentials.

According to the report, “This vulnerability is due to insufficient sanitization of user input on specific REST API commands. An attacker could exploit this vulnerability by sending a crafted HTTP request to the API subsystem of an affected device.”

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

The report says this vulnerability affected Cisco FDM On-Box Software. Cisco mentions it’s not aware of the vulnerability being exploited in the wild.

Fixes for the Vulnerability

Cisco software releases and the fixes for the vulnerability:

Cisco advised its customers to frequently consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

Furthermore, customers should make sure the devices that are upgraded, include sufficient memory and verify that current hardware and software configurations will continue to be supported properly by the new release.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago