Cisco Firepower

Cisco Firepower is an integrated threat-oriented firewall (ITU).

2026: Cisco FMC capture exploit published. Even a schoolboy can use it

In early March, FSTEC warned of the discovery of a critical vulnerability BDU:2026-02531^[1] in the Cisco Secure Firewall Management Center (FMS). Criticality is declared at the maximum level - 10 according to CVSS, but the FSTEC specialists have not yet confirmed the information about the existence of the exploit. At the same time, an exploit demo code (PoC) developed by artificial intelligence has already been discovered on GitHub. Cisco has released fixes - they are part of the March update set.

𝓲

Фото: BIT.Asistent

Cisco FMC (formerly Cisco Firepower Management Center) is a comprehensive network security management solution using Cisco firewalls. It allows you to manage multiple devices on multiple networks from a single console, and provides continuous monitoring and instant response to threats.

According to Sergei Matusevich, director of security and web technology development at Artezio, FMC was quite popular with large and medium-sized companies that built integrated security systems based on Cisco. We are talking about banks, telecoms, large industrial holdings, retail - wherever Cisco firewall clusters are deployed and a single console for managing security policies, intrusion detection and traffic filtering is required. After Cisco left Russia, many of these installations have not gone anywhere, they continue to work, but without official support and without regular access to updates.

Cisco FMC solutions are indeed widespread at enterprises in Russia, "Andrei Michkin, head of the integrated architecture department at Cloud Networks, told TAdviser. - Offhand, three or four of our clients still have them functioning, and so far there are no prerequisites for their complete withdrawal from the network.

At the same time, in the web interface of versions up to 6.4.0.18, 7.7.11 and 10.0.0, an error was found in the deserialization mechanism (recovery in memory of invalid data - CWE-502), which allows an offender acting remotely to execute arbitrary code with superuser rights by sending specially crafted requests. As Andrei Basarygin, head of the Bastion software research group, explained to TAdviser, the execution of malicious code is achieved by forming a special request containing a Java class representation that will be unsecurely processed by the system and will disrupt the normal operation of the software by executing the code required by the attacker on behalf of the superuser.

Of particular concern is the discovered fact of publishing a PoC exploit on GitHub, - Dmitry Khomutov, director of Ideco, shared his thoughts with TAdviser. - This means that the barrier of entry for attackers is minimal. Even a conditional "schoolboy" will be able to access a management console available via the Internet.

True, the discovered versions of the exploit were written by artificial intelligence, Copilot so it is quite difficult to assess the quality of their work, nevertheless, hackers have already actively begun to work on improving, and, possibly, using the generated code in practice.

At the same time, according to Dmitry Khomutov, the compromise of FMC is not just the seizure of one server. This is to gain control over the entire firewall infrastructure of the organization, including the ability to disable IPS, change firewall rules, erase system log records, and obtain passwords from decrypted SSL traffic. Since the vulnerability exists in fairly old versions, the situation can be very dangerous: there is an installed base, and the ability to quickly obtain and install fixes is extremely limited.

True, in order to exploit the vulnerability, an attacker must at least gain access to the device's web interface.

The discovered vulnerability is dangerous because it affects the web management interface, "warned TAdviser readers Mikhail Timaev, head of the IT Task technical presale department. - A separate risk is due to the fact that such systems are often located in the center of the network and have access to a large amount of data and settings, if an attacker gains control over the management server, he can not only weaken protection, but also use the infrastructure to further develop an attack within the network.

According to Oleg Pimenov, the architect of the UserGate web development, there are no workaround solutions. The only way to fix is to install the fixes provided by the developer. Under the conditions of sanctions, he recommends: immediately isolate the FMC web interface from external networks, restrict access to IP whitelists, deploy WAF before the control interface and strengthen monitoring using SIEM for abnormal activity with superuser privileges. In parallel, it is necessary to assess the risks of applying updates from Cisco and speed up migration to domestic solutions.

As for the specific vulnerability of the BDU:2026-02531 for a specific Cisco vendor and its FMC product, here at the "zero" stage the recommendation will be to limit the use of this product for critical infrastructure components, - Maxim Fedosenko, leading engineer-analyst at the Gazinformservice cybersecurity center, advised TAdviser readers.

2025: Vulnerability in Cisco's security management system opens door to complete takeover of corporate infrastructure

In the twentieth of August, FSTEC sent a warning about the discovery of a critical vulnerability BDU:2025-09828^[2] in the Cisco Secure Firewall Management Center network administration software (formerly Cisco Firepower Management Center or simply FMC). The error received the highest score according to the CVSS classification - 10, although it belongs to the category of injections (CWE-74), which usually have not very high criticality.

𝓲

Фото: Freepik

Apparently, this is due to the fact that incorrect neutralization of special elements in the output data - this is the official name of the injection - was found in the popular RADIUS authentication protocol (Remote Authentication in Dial-In User Service). It provides centralized authentication, authorization and user accounting when connected to the network, and therefore injecting commands when working with it allows you to compromise the entire corporate infrastructure.

𝓲

Фото: Ideogram.AI

The manufacturer has confirmed the vulnerability and released fixes for its product, but fixing the vulnerability requires installing it, which can be a difficult task for Russian companies. Only FMC versions 7.0.7 to 7.7.0 are affected by vulnerabilities with RADIUS authentication support enabled, so the manufacturer recommends using other methods of authentication of remote users for a while.

Sergey Gordeichik, CEO of SayberOK, shared with TAdviser information that the attack surface control and information system (SCIPA), developed by his company, detects more than 300 vulnerable services on the Runet. However, since the vulnerability can lead to a complete compromise of the company's infrastructure, at least three hundred fairly large corporate networks may be under attack.

Despite the lack of official support from the vendor and the general vector for import substitution in the field of information system security, solutions with FMC are still found, and as a rule in large financial and industrial organizations, - Maxim Kashirin, head of security analysis at Angara Security, shared his information with TAdviser. - At the same time, in the segment of small and medium-sized businesses, such systems are very rare due to the high cost of implementation and operation. Thus, the discovered vulnerability can affect just a segment of Russian organizations for which security issues are critical.

That is, the largest corporate networks of Russia may be at risk. So far, there has been no data on the publication of an exploit for this vulnerability, but this can happen at any time.

A successful exploit attack could allow an attacker to execute commands with a high level of privilege, "warned TAdviser readers Ural Mukhtarov, head of the information protection systems implementation and maintenance department. Infosecurity- That is, by gaining access, an attacker will be able to easily change the configuration of both FMC and its managed systems, including filtering rules and sets of security mechanisms used, etc. An intruder will potentially be able to collect a complete map of the network and all security rules, disable intrusion detection and prevention systems. This will further allow him to carry out a phased attack on internal resources, which could ultimately lead to significant damage to the business.

Dmitry Khomutov, director of Ideco, also notes that using this vulnerability, an attacker can disable protection, change security policies, extract device configurations and freely navigate the network. The greatest risk lies in compromising the network perimeter - installing loopholes and bookmarks, as well as hidden monitoring, which makes the attack difficult to detect and extremely destructive. Successful exploitation of the vulnerability can trigger a chain reaction to seize the entire infrastructure, especially if the control loop is not isolated from the main network. Moreover, this can be done unnoticed by administrators.

Security management software in many cases is the central point for configuring, managing and monitoring the equipment that is connected to it, the Solar press service told TAdviser. - You can increase the level of software protection against vulnerabilities by taking the following key measures: regular system updates, two-factor authentication, setting up detailed access control and full logging. Equally important are up-to-date infrastructure documentation, the availability of a comprehensive information security policy, as well as ongoing training and raising staff awareness of current cyber threats.

And remember to close RADIUS ports on Cisco FMC^[4].

2024: Cisco product reveals vulnerability to trick authentication system and execute any command

In its message dated October 28, FSTEC warned of the discovery of a critical vulnerability BDU:2024-08598^[5]is present in the web interface for managing a network of Cisco Firepower Management Center (FMC) devices. Exploiting the vulnerability could allow an attacker acting remotely to execute arbitrary commands on the underlying operating system with superuser privileges by sending specially crafted HTTP requests. The CVSSv3 vulnerability hazard level is 9.9 out of 10.

Cisco has already released fixes for it. The vulnerability was closed in the October patch set. It is associated with the failure to take measures to neutralize special elements used in the operating system command. An attacker using this vulnerability can trick the Cisco FMC authentication system and execute any command.

As a rule, such systems are not exposed to the perimeter, - explained to TAdviser Alexei Lednev, head of the attack detection department of the Positive Technologies security expert center. - In addition, a valid account in the system is required for its operation. Plus, there is no exploit in the public domain. All this suggests that it is not worth waiting for a mass attack. But the APT group may well exploit this vulnerability, since network devices are a tidbit enough for attackers.

Although the vulnerability has a level of danger according to CVSS 9.9, which implies, among other things, easy exploitation of it, in fact, in order to successfully use this error, an attacker needs to guess the user's credentials with the role of at least security analyst.

This vulnerability is associated with insufficient verification of the entry of some HTTP requests, and to exploit it, an attacker will need valid credentials for a user account with at least the role of a security analyst, said Alexey Ryabinin, a leading specialist in the technical protection department of confidential information Cloud Networks, to TAdviser. - Then it can be used by authenticating in the web control interface of the vulnerable device, and then sending the created HTTP request to the device.

Getting the user account data is not easy. To do this, it is quite possible that you will have to resort to phishing.

To exploit the vulnerability, a hacker needs to obtain user credentials that can be obtained using a phishing attack, "Andrei Yashinin, an analyst engineer for identifying R-Vision vulnerabilities, explained the attack chain to TAdviser readers. - Phishing is a common method of obtaining information, and it is often difficult to minimize due to low awareness of employees of enterprises. As a result, the vulnerability can lead to leakage of confidential data stored in the system, data changes, the introduction of malicious commands and disruption of the normal operation of the system. And an attacker can also completely restrict access to network control.

It should be noted that the product itself in Russia was once popular.

The Cisco Firepower Management Center product is quite popular on the Russian market, and many companies continue to use it, "Alexander Shilov, head of network security at K2 Cybersecurity, shared with TAdviser. - The import substitution process is in full swing and Russian analogues of the product are actively developing. But not all users are ready to quickly abandon the usual and proven Western solutions in favor of domestic ones.

FSTEC specialists propose to take the following measures to protect against the exploitation of this vulnerability:

• Disable or completely delete unused user accounts;
• Use intrusion detection and prevention systems to identify and respond to attempts to exploit a vulnerability;
• Segment the network to restrict access to the vulnerable software product.

Although it is not traditional for the council's measures proposed by FSTEC to close direct access from the Internet to a vulnerable product and organize a secure VPN connection for remote administration, this is the recommendation that would be quite appropriate here. Usually such control systems are installed inside the corporate network, and hackers cannot gain direct access to them.

Alexander Shilov also recommends using a Stealth-type rule on the internal firewall that will help prevent attacks by eliminating the possibility of unauthorized access to the web control interface. However, all experts agree that to fix the vulnerability, you need to install manufacturer updates, but this is not easy for Russian companies.

2021: Certification of the FSTEC of Russia firewall

On March 31, 2021, SATEL announced that it had received a certificate of compliance for an information security tool - a firewall implemented in Cisco Firepower 2100 series network security devices. The certificate was issued by the Federal Service for Technical and Export Control of the Russian Federation (FSTEC of Russia).

The certification of the relevant equipment was carried out by SATEL according to the "series" scheme, which provides customers with the opportunity to obtain an unlimited number of certified Cisco Firepower 2100 firewalls.

Cisco Firepower 2100 is a type "A" and "B" firewall used on the physical and logical boundary of an information system or between the physical and logical boundaries of information system segments. The firewall is designed for integration local area networks in an enterprise-wide network (Intranet) and in wide area networks of the type. Internet Integration is implemented on the basis of the rules for filtering flows in information specified directions set by the administrator, which ensure the delimitation of access of subjects of one network to objects of another. The interpretation of the rule set is carried out by a sequence of commands software firewall that allow or prohibit the transmission of data packets in one direction or another.

The Cisco Firepower 2100 series firewall is certified in the Information Security Information Security Certification System No. ROSS RU.0001.01BI00 and has a Certificate of Compliance with Information Security Requirements No. 4373. According to the certificate, this equipment meets the requirements of the documents:

• Requirements for firewalls (FSTEC of Russia, 2016);
• Type " A" firewall protection profile of the sixth class of protection. IT.ME.A6.PZ (FSTEC of Russia, 2016);
• Type B firewall protection profile of the sixth protection class. IT.ME.B6.PZ (FSTEC of Russia, 2016);
• Information security requirements establishing levels of trust in information technical protection tools and information technology security tools (approved by Order of the FSTEC of Russia dated June 2, 2020 No. 76) on the 6th level of trust.

Compliance with Russian regulations is an integral part of Cisco's strategy. We are glad that we were able to take another step in this direction together with our long-term technological partner - SATEL, - commented Mikhail Kader, Honored System Engineer of Cisco.

2017: Cisco Firepower 2100 Series

In February 2017, Cisco introduced the next generation firewall family for the Internet perimeter - the Cisco Firepower 2100 series. These firewalls are characterized by virtually constant bandwidth when enabling additional security services, and also meet the needs of today's organizations for uptime and protection of critical business functions and data.

Models of this series

• Firepower 2110 Security Appliance
• Firepower 2120 Security Appliance
• Firepower 2130 Security Appliance
• Firepower 2140 Security Appliance

When moving to digital business models, cybersecurity solutions must support scalability to add new features and counter new threats and vulnerabilities without compromising network and application performance. In reality, this, unfortunately, is not the case. Enabling firewall intrusion detection can reduce bandwidth by half or even more. As a result, web-based customer interaction applications such as Internet banking and e-commerce, which need maximum performance and are more likely than others to be targeted by cybercriminals, suffer significantly. Some enterprises disable information security functionality to improve performance, putting both themselves and their customers at risk.

The 2100 series firewalls, which feature the industry's first dual-core CPU architecture, accelerate key encryption, shielding, and security features. These models are specifically designed to meet customer needs to maintain a consistent level of security and performance. Compared to products of a similar price category, the Cisco Firepower 2100 provides higher performance even with the enabled threat analysis functionality.

2016

On February 18, 2016, Cisco announced the release of the Cisco Firepower fully integrated threat-oriented firewall.

Cisco Firepower-4100 (2016)

The solution, according to the vendor's statement, differs significantly from analogues limited to application control: Cisco's solution detects and recognizes potential hackers, ensuring security.

Together with the announcement of ITU, the company launched the Cisco Security Segmentation Service consulting service.

Her task is to help:

• improve compatibility;
• localize the source of the attack;
• Detect threats
• Monitor content security
• Prevent data leakage across your IT infrastructure.

Both innovations Cisco are aimed at protecting against dangerous and persistent threats. cyber attacks

Threat protection is a distinctive feature of ITU Cisco Firepower. Cisco Firepower combines threat analytics, security policy enforcement, and how users connect to applications. This level of transparency across the entire business environment enhances protection and reduces the time it takes to detect and respond to threats. ITU allows you to automate and adjust protective measures and almost immediately strengthen the security system due to its ability to take into account current vulnerabilities, assets and threats in the network. Consistent actions of security measures provide protection that point solutions are not able to provide.

Cisco Firepower increases the speed, simplicity, and efficiency of detecting and responding to attacks. The product integrates threat protection services and Cisco dynamic batch filtering technology into a single solution.

Among the features of the product:

• Next-generation intrusion prevention system (NGIPS)
• Advanced Malware Protection (AMP) system;
• Reputation-based URL filtering.

Integrated ITU combines Cisco and third-party solutions to distribute analytical capabilities and context. Enterprises can now establish relationships between previously disparate pieces of data, more quickly recognize and repel complex attacks wherever they occur. This increases the competitiveness of organizations looking to take advantage of new business opportunities by working with the cloud, virtual environment, the Internet of Things, and mobile devices.

Cisco has introduced the Cisco Firepower 4100 Series for high-performance applications used by medium and large businesses. This high-performance device, in its class, with optimal density of computing resources, is capable of monitoring threats with high bandwidth and low network latency and is suitable for use by high-frequency trading organizations and data center deployment. The device is equipped with built-in 40 GbE ports, the body height is one rack (1U).

Notes