HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2020-3452

CVSS 7.5v3.1pub. 2020-07-22upd. 2025-10-28

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Cisco Adaptive Security Appliance Software

    OS
    Cisco
    9.6 – 9.6.4.42 (bez)9.8 – 9.8.4.20 (bez)9.9 – 9.9.2.74 (bez)9.10 – 9.10.1.42 (bez)9.12 – 9.12.3.12 (bez)9.13 – 9.13.1.10 (bez)9.14 – 9.14.1.10 (bez)
  • Cisco Asa 5505

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5510

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5512 X

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5515 X

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5520

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5525 X

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5540

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5545 X

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5550

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5555 X

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5580

    HW
    Cisco
    wszystkie wersje
  • Cisco Asa 5585 X

    HW
    Cisco
    wszystkie wersje
  • Cisco Firepower Threat Defense

    APP
    Cisco
    6.2.3 – 6.2.3.16 (bez)6.3.0 – 6.3.0.6 (bez)6.4.0 – 6.4.0.10 (bez)6.5.0 – 6.5.0.5 (bez)6.6.0 – 6.6.0.1 (bez)

CISA KEV — detailsi

Vendori
Cisco
Producti
Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
Tags
Path TraversalVPN
CWE
References

Related vulnerabilities

CVE-2025-20333CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE jako root w Cisco ASA i FTD poprzez podatny serwer VPN web

CVE-2025-20363CRITICAL9.0PL ✓ten sam produkt

RCE w web services Cisco ASA, FTD, IOS, IOS XE, IOS XR przez HTTP

CVE-2024-20412CRITICAL9.3PL ✓ten sam produkt

Cisco FTD: statyczne konta z zakodowanymi hasłami umożliwiają nieautoryzowany dostęp

CVE-2024-20329CRITICAL9.9PL ✓ten sam produkt

RCE w podsystemie SSH Cisco ASA — wykonanie poleceń jako root

CVE-2022-20829CRITICAL9.1ten sam produkt

A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of...