Cisco this week patched a vulnerability in its Firepower Device Manager (FDM) On-Box software, which allowed threat actors to gain control of the company’s Firepower next-generation firewalls.

Positive Technologies threat researchers Nikita Abramov and Mikhail Klyuchnikov discovered the exploit (CVE-2021-1518), which garnered a common vulnerability scoring system (CVSS) score of 6.3 in severity.

The vulnerability exploits a flaw in the FDM On-Box’s representational state transfer (REST) API. The API uses HTTP or HTTPS requests to enable interaction between web services. In this case, it allowed attackers to run arbitrary code on the operating system of an affected device.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” wrote Abramov in a research note. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

According to Positive Technologies, the exploit affects FDM On-Box versions 6.3.0 through 6.7.0. Cisco patched the vulnerability in versions 6.4.0.12, 6.4.4, and 6.7.0.2.

Additionally, Positive Technologies researchers recommend using network detection and response (NDR), network traffic analysis (NTA), and/or security information and event management (SIEM) services to detect and prevent attempts to exploit affected firewalls.