CVE-2024-20412 - How Static Credentials in Cisco FTD Can Open Your Firewalls to Attack

Imagine you trust your firewall to stop cyber attackers. But a hidden set of user accounts with static passwords could let someone walk right in. That’s CVE-2024-20412, a serious vulnerability in Cisco Firepower Threat Defense (FTD) Software for Firepower 100, 210, 310, and 420 Series appliances.

In plain English, an attacker can use a hardcoded username and password—built into your firewall by Cisco—to access the device and potentially break things badly enough that only a full reimage can fix it.

Read on for a breakdown, code snippet, actual exploit details, and what you can do.

What Is CVE-2024-20412?

CVE-2024-20412 is a vulnerability stemming from the use of static (hard-coded) credentials on certain Cisco Firepower devices. If an attacker can reach the CLI (command-line interface) locally—over a console or maybe by chaining other attacks—they can log in without knowing any secrets.

Access Required: Local (need to reach device physically or via chained attacks)

- Effect: Unauthenticated access, can leak configs, change some settings, or even brick the firewall

Cisco Firepower 420 Series

Note: Only devices running specific, vulnerable versions of FTD Software are affected. Check Cisco’s advisory for versions ([see below](#references)).

How Does the Vulnerability Work?

Cisco left one or more user accounts in the system with a fixed username and password. These credentials are always the same for all devices shipping with the affected software. An attacker with any kind of local access (console cable, KVM, chained exploit) can simply log in.

Attacker connects to CLI (often via serial or other low-level method).

3. Attacker uses hard-coded credentials (like, for example, cisco_support/cisco123—*this is not the real login, but only an example*).

Exploit Example: Simulated CLI Access

Let’s show how an attacker might use the static credentials, assuming they have console access.

Example using python and pexpect for automated login

import pexpect

SERIAL_PORT = '/dev/ttyUSB' # Serial port to device
USERNAME = 'hardcoded_user'  # Placeholder
PASSWORD = 'hardcoded_pass'  # Placeholder

try:
    child = pexpect.spawn(f'screen {SERIAL_PORT} 960')
    child.expect('login:')
    child.sendline(USERNAME)
    child.expect('Password:')
    child.sendline(PASSWORD)
    child.expect('#')
    print('[+] Login successful, you are in the device as static user!')
except Exception as e:
    print('[-] Failed to log in:', e)

*Note: Replace hardcoded_user and hardcoded_pass with the real values if you are testing on your own hardware. Never exploit systems you don’t own!*

Perform limited troubleshooting: Read logs, run some commands

- Modify certain configs: Not full control—but enough to weaken security or prepare for more attacks
- Potentially brick the firewall: Some commands could leave it unbootable, requiring a full reimage

In other words, total Ownage in the wrong hands.

Official References

- Cisco Security Advisory for CVE-2024-20412
- NIST NVD Entry for CVE-2024-20412

Conclusion

CVE-2024-20412 proves that hardcoded credentials are never safe—even from a trusted vendor. If you run a Cisco Firepower 100/210/310/420 with a vulnerable FTD version, upgrading now is not optional. The static accounts are a real, practical risk to your firewall and network. Don’t wait to act.


*Stay safe and patch quick! Don’t let static credentials turn your defenses into a welcome mat.*

Timeline

Published on: 10/23/2024 18:15:09 UTC
Last modified on: 11/05/2024 15:03:34 UTC