CVE-2021-1488

A vulnerability in the upgrade process of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to inject commands that could be executed with root privileges on the underlying operating system (OS). This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by uploading a crafted upgrade package file to an affected device. A successful exploit could allow the attacker to inject commands that could be executed with root privileges on the underlying OS.

Published: Apr 29, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-1488
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.7
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
cisco / firepower_threat_defense	6.5.0	6.6.4
cisco / firepower_threat_defense	6.7.0	6.7.0.2
cisco / adaptive_security_appliance_software	9.13	9.13.1.21
cisco / adaptive_security_appliance_software	9.14	9.14.2.13
cisco / adaptive_security_appliance_software	9.15	9.15.1.10

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-cmdinj-TKyQfDcU

Vulnerability Database

289,599

CVE-2021-1488