Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-20828Improper Handling of Undefined Parameters in Cisco ASA Firepower

CWE-236Improper Handling of Undefined Parameters4 documents4 sources
Severity
7.2HIGHNVD
CNA6.5
EPSS
53.0%
top 2.03%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Cisco ASA FirepowerCisco Firepower Services Software FOR ASA
Timeline
PublishedJun 24
Latest updateJun 25

Description

A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-bas

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDcisco/asa_firepower6.3.06.4.0.15+3

🔴Vulnerability Details

2
GHSA
GHSA-rhf7-g27p-vr96: A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, rem2022-06-25
CVEList
Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability2022-06-24

📋Vendor Advisories

1
Cisco
Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability2022-06-22
CVE-2022-20828 — Cisco ASA Firepower vulnerability | cvebase