CVE-2024-20361 Overview
CVE-2024-20361 is an access control bypass vulnerability in the Object Groups for Access Control Lists (ACLs) feature of Cisco Firepower Management Center (FMC) Software. The flaw allows an unauthenticated, remote attacker to bypass configured access controls on managed devices running Cisco Firepower Threat Defense (FTD) Software. The vulnerability stems from incorrect deployment of the Object Groups for ACLs feature from FMC to managed FTD devices in high-availability (HA) configurations. After an affected device is rebooted following deployment, attackers can send traffic through the device to reach systems that should be blocked by configured policy.
Critical Impact
Unauthenticated remote attackers can bypass ACL enforcement on FTD devices, sending traffic to network resources that should be protected by Cisco firewall policy.
Affected Products
- Cisco Secure Firewall Management Center 7.1.0 through 7.1.0.3
- Cisco Secure Firewall Management Center 7.2.0 through 7.2.3.1
- Cisco Secure Firewall Management Center 7.3.0 and 7.3.1
Discovery Timeline
- 2024-05-22 - CVE-2024-20361 published to NVD
- 2025-08-07 - Last updated in NVD database
Technical Details for CVE-2024-20361
Vulnerability Analysis
The vulnerability resides in how Cisco FMC deploys Object Groups for ACLs to managed FTD devices configured in high-availability pairs. Object Groups consolidate network objects, services, and protocols into reusable elements that simplify ACL management. When FMC pushes these grouped ACL definitions to HA-paired FTD devices, the deployment process incorrectly programs the resulting rules on the data plane.
The inconsistent rule state becomes exploitable after an affected FTD device reboots. Following the reboot, traffic that should match a deny rule defined through an Object Group is permitted to traverse the device. The vulnerability is classified under CWE-264: Permissions, Privileges, and Access Controls.
The attack requires no authentication and no user interaction. An attacker only needs network reachability to the affected FTD device to send traffic across the bypassed policy boundary. EPSS data places the probability of exploitation at 0.145%.
Root Cause
The root cause is incorrect deployment behavior in FMC when pushing Object Groups for ACLs to FTD devices in HA pairs. The compiled access control entries do not consistently survive the reboot cycle, leaving the device with a permissive policy state that diverges from the administrator's intended configuration.
Attack Vector
The attack vector is network-based with low complexity. An attacker sends crafted traffic through an affected FTD device after it has rebooted following an Object Groups for ACLs deployment. Successful exploitation allows traffic to reach internal hosts, services, or network segments that policy was intended to block, providing reconnaissance and lateral movement opportunities into otherwise segmented environments.
No public proof-of-concept code is available for this issue. Refer to the Cisco Security Advisory for vendor technical detail.
Detection Methods for CVE-2024-20361
Indicators of Compromise
- Network flows traversing FTD HA pairs that match traffic patterns explicitly denied by configured ACL policy.
- Unexpected east-west or north-south connections to internal hosts immediately following an FTD reboot.
- Discrepancies between FMC policy intent and show access-list output on managed FTD devices after deployment events.
Detection Strategies
- Audit FTD device configurations after each FMC deployment and reboot to confirm Object Group ACL entries are present and active.
- Correlate firewall connection logs against the deployed ACL policy to identify allowed flows that should have been denied.
- Enable verbose connection logging on rules built with Object Groups to surface unintended traffic matches.
Monitoring Recommendations
- Continuously ingest FTD syslog and connection events into a centralized analytics platform and alert on policy-violation anomalies after device reboots.
- Monitor FMC deployment job results and FTD HA failover events to identify systems that require post-deployment validation.
- Track destinations protected by Object Group ACL rules and alert on any successful inbound connection attempts from untrusted zones.
How to Mitigate CVE-2024-20361
Immediate Actions Required
- Identify all FMC instances running affected versions (7.1.x, 7.2.x prior to 7.2.4, and 7.3.x) and inventory the FTD HA pairs they manage.
- Apply the fixed Cisco FMC software release as documented in the Cisco Security Advisory.
- After patching, redeploy access control policy to all managed FTD devices and validate ACL state following any subsequent reboot.
Patch Information
Cisco has published fixed software in the Cisco Security Advisory cisco-sa-fmc-object-bypass-fTH8tDjq. Customers with valid service contracts should obtain the upgrade through standard Cisco update channels and follow the advisory's recommended migration path for their current version branch.
Workarounds
- Cisco has not published a configuration-only workaround; upgrading FMC to a fixed release is the supported remediation path.
- As an interim measure, replace Object Groups in critical deny rules with explicit network and service objects until the patch is applied.
- After any FTD reboot or HA failover on unpatched systems, manually verify show access-list output matches the policy intent defined in FMC.
# Validation example - run on the FTD device after reboot
show running-config access-list
show access-list | include <object-group-name>
show failover state
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
