This module exploits an authenticated command injection vulnerability affecting
Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
ASDM web server and lands in the FirePower Services SFR module's Linux virtual
machine as the root user. Access to the virtual machine allows the attacker to
pivot to the inside network, and access the outside network. Also, the SFR
virtual machine is running snort on the traffic flowing through the ASA, so
the attacker should have access to this diverted traffic as well.
This module requires ASDM credentials in order to traverse the ASDM interface.
A similar attack can be performed via Cisco CLI (over SSH), although that isn't
Finally, it's worth noting that this attack bypasses the affects of the
`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
available but this attack makes it available).
Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
versions 184.108.40.206, 220.127.116.11, 6.6.7, and 7.0.21. The following versions will
receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.