CVE-2016-1457
high
CVSS v3
8.8
CVSS v2
9.0
VIR risk
8.8
Description
The web-based GUI in Cisco Firepower Management Center 4.x and 5.x before 5.3.1.2 and 5.4.x before 5.4.0.1 and Cisco Adaptive Security Appliance (ASA) Software on 5500-X devices with FirePOWER Services 4.x and 5.x before 5.3.1.2 and 5.4.x before 5.4.0.1 allows remote authenticated users to execute arbitrary commands as root via crafted HTTP requests, aka Bug ID CSCur25513.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@cisco.com — http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-fmc
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cisco | secure_firewall_management_center | 4.10.3.9 | |
| cisco | secure_firewall_management_center | 5.2.0 | |
| cisco | secure_firewall_management_center | 5.3.0.4 | |
| cisco | secure_firewall_management_center | 5.3.1 | |
| cisco | secure_firewall_management_center | 5.4.0 | |
References
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-fmc
- http://www.securityfocus.com/bid/92509
- http://www.securitytracker.com/id/1036642
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-fmc
- http://www.securityfocus.com/bid/92509
- http://www.securitytracker.com/id/1036642
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.