LiveActive security incident?Get immediate response
CVE Record

CVE-2019-12674: Cisco Firepower Threat Defense Software Multi-instance Container Escape Vulnerabilities

Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.

HighCVSS 8.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This Cisco FTD flaw lets a highly privileged local user inside one multi-instance FTD container break out to the host. If exploited, they could gain root-level control in the host namespace and affect other FTD instances on the same system.

Executive priority

Treat this as high priority where Cisco FTD multi-instance is used, especially in shared or segmented security deployments. The required attacker privileges reduce broad internet risk, but successful exploitation could undermine isolation between instances.

Technical view

CVE-2019-12674 concerns insufficient filesystem protections in Cisco Firepower Threat Defense Software's multi-instance feature. An authenticated local attacker with high privileges could modify critical underlying filesystem files, escape their instance container, and execute commands as root in the host namespace.

Likely exposure

Exposure is most likely in Cisco FTD deployments using the multi-instance feature. The source bundle does not identify specific affected releases, so teams must compare their FTD versions and configurations against Cisco's advisory.

Exploitation context

The source describes local authenticated exploitation with high privileges required. The bundle does not cite active exploitation, public exploit availability, or CISA KEV inclusion, so active exploitation should not be assumed from these sources.

Researcher notes

Key constraints are local access, authentication, and high privileges. The important security boundary is the FTD instance container versus the host namespace. The bundle does not include affected version ranges, patch names, or exploitation telemetry.

Mitigation direction

  • Check Cisco's advisory for affected and fixed FTD releases.
  • Upgrade or patch multi-instance FTD deployments according to Cisco guidance.
  • Restrict local authenticated access to FTD instances to trusted administrators.
  • Review hardening controls around filesystem access and administrative roles.
  • Monitor for unauthorized critical filesystem changes or unexpected root-level activity.

Validation and detection

  • Inventory Cisco FTD systems and identify multi-instance deployments.
  • Verify installed FTD versions against Cisco's advisory.
  • Confirm whether local administrative access is tightly limited and reviewed.
  • Check logs for suspicious filesystem modification or host-namespace activity.
  • Document patch status, compensating controls, and any remaining exceptions.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-216: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-12674 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.2 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.2CVSS 3.0HighCVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H1.56Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

8.2High
CVSS 3.0 vector shape for CVE-2019-12674Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Firepower Threat Defense SoftwareunspecifiedListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-216 · source CWE mapping

DEPRECATED: Containment Errors (Container Errors)

DEPRECATED: Containment Errors (Container Errors) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.