CVE-2021-34752: 
Cisco Firepower Threat Defense (FTD) vulnerability analysis and mitigation

A vulnerability in the Command Line Interface (CLI) of Cisco Firepower Threat Defense (FTD) Software (CVE-2021-34752) was discovered that could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands with root privileges on the underlying operating system. The vulnerability was discovered during internal security testing by Brandon Sakai of Cisco and was publicly disclosed on October 27, 2021. This vulnerability affects Cisco FTD Software running in default configuration (Cisco Advisory).

The vulnerability stems from insufficient validation of user-supplied command arguments in the CLI of Cisco FTD Software. It has been assigned a CVSS Base Score of 6.7 MEDIUM with a vector string of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-20 (Improper Input Validation). An attacker could exploit this vulnerability by submitting crafted input to the affected commands (NVD, Cisco Advisory).

A successful exploitation of this vulnerability would allow an attacker to execute commands with root privileges on the underlying operating system of the affected device. This could potentially lead to complete system compromise, as the attacker would gain the highest level of privileges on the system (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available. Fixed versions include 6.4.0.13 (released November 2021), 6.6.5, 6.7.0.3 (released January 2022), and 7.0.1. Users of affected versions are advised to upgrade to a fixed release (Cisco Advisory).