Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Command Injection in Cisco ASA and FTD Restore Functionality

IdentifiersCVE-2024-20358CWE-77

CVE-2024-20358 is a command injection vulnerability in the restore functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The flaw exists because the contents of a backup file are improperly sanitized during restore processing. An authenticated local attacker with administrator-level privileges can exploit the issue by restoring a crafted backup file to an affected device. Successful exploitation results in arbitrary command execution on the underlying Linux operating system with root privileges.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary command execution on the underlying operating system as root. This gives the attacker full control of the affected device, enabling installation of malware, persistence, access to sensitive configuration and traffic-related data, and further compromise of the firewall platform. Supporting context also notes these ASA/FTD vulnerabilities were associated with attacks in early 2024 in which attackers attempted to install malware and steal data from compromised devices.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict restore operations to highly trusted administrators only, prevent use of untrusted or externally supplied backup files, and tightly control local administrative access to ASA/FTD devices. Monitor for unusual restore activity, signs of root-level command execution, malware installation, or other indicators of compromise on affected firewall devices. Use Cisco Talos indicators and Cisco forensic guidance to assess device integrity until upgrades can be completed.

Remediation

Patch, then assume compromise.

Upgrade Cisco ASA and Cisco FTD to fixed software releases. The provided content indicates affected ASA releases are versions prior to 9.12.4.67, 9.16.4.57, 9.18.4.22, 9.19.1.28, and 9.20.2.10, and affected FTD releases are versions prior to 7.4.1.1, 7.2.6, and 7.0.6.2. Cisco-released software updates should be applied immediately. During remediation, organizations should also investigate devices for signs of compromise using Cisco incident response and forensic guidance.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsAdaptive Security Applianceoperating_system
Cisco SystemsAdaptive Security Appliance Softwareoperating_system
Cisco SystemsFirepower Threat Defense Softwareapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
zeropath blogNews
Aug 14, 2025
Cisco Firepower CVE-2025-20127: Brief Summary of TLS 1.3 ChaCha20 Resource Exhaustion Vulnerability - ZeroPath Blog | ZeroPath

A previously disclosed high-severity vulnerability in Cisco ASA and FTD products mentioned as part of Cisco's security history; no specific technical details are provided in the content.

Read more
censys blogNews
May 1, 2024
Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor - Censys

A Cisco ASA/FTD zero-day vulnerability identified during the ArcaneDoor investigation; the content states only CVE-2024-20353 and CVE-2024-20359 were exploited in the campaign.

Read more
kyberturvallisuuskeskus alertsNews
Apr 24, 2024
Useita vakavia haavoittuvuuksia Cisco ASA ja FTD-tuotteissa | Traficom

A Cisco ASA and Cisco FTD command injection vulnerability affecting vulnerable software versions.

Read more
kyberturvallisuuskeskus alertsNews
Apr 24, 2024
Useita vakavia haavoittuvuuksia Cisco ASA ja FTD-tuotteissa | Traficom

A Cisco ASA and Cisco FTD command injection vulnerability affecting specific vulnerable software versions.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-20358
NVD
nvd.nist.gov/vuln/detail/CVE-2024-20358
MITRE CWE · CWE-77
cwe.mitre.org
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm