CVE-2021-34753

A vulnerability in the payload inspection for Ethernet Industrial Protocol (ENIP) traffic for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured rules for ENIP traffic. This vulnerability is due to incomplete processing during deep packet inspection for ENIP packets. An attacker could exploit this vulnerability by sending a crafted ENIP packet to the targeted interface. A successful exploit could allow the attacker to bypass configured access control and intrusion policies that should trigger and drop for the ENIP packet.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-enip-bypass-eFsxd8KP	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.0:::::::*

History

07 Aug 2025, 18:04

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cisco:firepower_threat_defense_software:::::::: cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.0:::::::*
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-enip-bypass-eFsxd8KP -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-enip-bypass-eFsxd8KP - Vendor Advisory
First Time		Cisco firepower Threat Defense Software Cisco

Information

Published : 2024-11-15 17:15

Updated : 2025-08-07 18:04

NVD link : CVE-2021-34753

Mitre link : CVE-2021-34753

CVE.ORG link : CVE-2021-34753

JSON object : View

Products Affected

cisco

firepower_threat_defense_software

CWE

CWE-284

Improper Access Control

{"id": "CVE-2021-34753", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-11-15T17:15:10.303", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-enip-bypass-eFsxd8KP", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@cisco.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the payload inspection for Ethernet Industrial Protocol (ENIP) traffic for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured rules for ENIP traffic.\r\n\r\nThis vulnerability is due to incomplete processing during deep packet inspection for ENIP packets. An attacker could exploit this vulnerability by sending a crafted ENIP packet to the targeted interface. A successful exploit could allow the attacker to bypass configured access control and intrusion policies that should trigger and drop for the ENIP packet."}, {"lang": "es", "value": "Una vulnerabilidad en la inspecci\u00f3n de payload del tr\u00e1fico del Protocolo industrial Ethernet (ENIP) para el software Cisco Firepower Threat Defense (FTD) podr\u00eda permitir que un atacante remoto no autenticado eluda las reglas configuradas para el tr\u00e1fico ENIP. Esta vulnerabilidad se debe a un procesamiento incompleto durante la inspecci\u00f3n profunda de paquetes de ENIP. Un atacante podr\u00eda aprovechar esta vulnerabilidad enviando un paquete ENIP manipulado a la interfaz de destino. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante eludir las pol\u00edticas de intrusi\u00f3n y control de acceso configuradas que deber\u00edan activarse y descartarse para el paquete ENIP."}], "lastModified": "2025-08-07T18:04:40.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D5AFA91-26D4-4CFC-80FA-02F760973A94", "versionEndExcluding": "6.4.0.13"}, {"criteria": "cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42D05DF5-603A-489F-AF1C-35B0EEB9E2CA", "versionEndExcluding": "6.6.5.1", "versionStartIncluding": "6.5.0"}, {"criteria": "cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DBECBCE-8188-40C7-81B8-0D6362384A36", "versionEndExcluding": "6.7.0.3", "versionStartIncluding": "6.7.0"}, {"criteria": "cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDE321FE-9034-4E0F-9A32-D41443A9D86A"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com"}