Description
A vulnerability in the sftunnel functionality of Cisco Secure Firewall Management Center (FMC) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrative privileges to write arbitrary files as root on the underlying operating system.

This vulnerability is due to insufficient validation of the directory path during file synchronization. An attacker could exploit this vulnerability by crafting a directory path outside of the expected file location. A successful exploit could allow the attacker to create or replace any file on the underlying operating system.
Published: 2026-03-04
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A directory traversal flaw in the sftunnel component of Cisco Secure Firewall Management Center (FMC) and Cisco Secure Firewall Threat Defense (FTD) allows an authenticated admin to write arbitrary files with root privileges on the underlying operating system. The flaw arises from insufficient validation of directory paths during file synchronization, enabling an attacker to craft a path outside the intended location. By creating or replacing files, an attacker may install malware or alter system configuration, effectively achieving local privilege escalation and potentially executing arbitrary code on the host.

Affected Systems

The vulnerability affects Cisco Secure Firewall Management Center (FMC) Software and Cisco Secure Firewall Threat Defense (FTD) Software. No specific affected versions are listed in the advisory; users should verify whether their deployed FMC/FTD instances are vulnerable or, if available, consult the vendor for patches.

Risk and Exploitability

With a CVSS score of 5.9 and an EPSS of less than 1%, the risk is moderate and the likelihood of exploitation is low, especially given that the attacker must possess authenticated administrative credentials. The vulnerability is not listed in the CISA KEV catalog. An attacker could exploit the flaw by logging into FMC/FTD, using the sftunnel feature to send a crafted path that resolves outside the intended directory, and writing arbitrary files—such as executable binaries or scripts—thereby achieving root-level access and arbitrary code execution on the underlying system.

Generated by OpenCVE AI on April 16, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Cisco security update for the affected FMC/FTD product to address the directory traversal flaw.
  • If a patch is not yet available, restrict administrative access to the FMC/FTD management console and disable or tightly control the sftunnel feature to prevent directory traversal attempts.
  • Implement monitoring for suspicious file creation events or anomalous path usage, and consider enabling file integrity monitoring to detect unauthorized changes to critical system files.

Generated by OpenCVE AI on April 16, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco secure Firewall Management Center
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco secure Firewall Management Center
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the sftunnel functionality of Cisco Secure Firewall Management Center (FMC) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrative privileges to write arbitrary files as root on the underlying operating system. This vulnerability is due to insufficient validation of the directory path during file synchronization. An attacker could exploit this vulnerability by crafting a directory path outside of the expected file location. A successful exploit could allow the attacker to create or replace any file on the underlying operating system.
Title Cisco Firepower Management Center Software and Firepower Threat Defense Path Traversal Vulnerability
Weaknesses CWE-27
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Cisco Secure Firewall Management Center Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T20:50:59.298Z

Reserved: 2025-10-08T11:59:15.351Z

Link: CVE-2026-20018

cve-icon Vulnrichment

Updated: 2026-03-04T20:50:55.761Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:16.407

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses