Cyber Resilience

CVE-2020-3452

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 July 2020

Published
22 July 2020
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9443 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3452 is a high-severity Improper Input Validation (CWE-20) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability tracked as CVE-2020-3452 exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. It stems from insufficient input validation of URLs in HTTP requests and is present when the device is configured with WebVPN or AnyConnect features, which enable the web services file system. The flaw is assigned CWE-20 and CWE-22 and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can exploit the issue by sending a crafted HTTP request containing directory traversal sequences. Successful exploitation grants the ability to read arbitrary files stored in the web services file system, although ASA or FTD system files and underlying operating system files cannot be accessed.

The official Cisco Security Advisory cisco-sa-asaftd-ro-path-KJuQhB86 details the vulnerability and is referenced alongside multiple public exploit proofs of concept published on PacketStorm Security for affected releases including 9.6, 9.11, 9.14, and FTD 6.6.

EU & UK References

Vulnerability details

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.…

more

The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
adaptive security appliance software
9.6 — 9.6.4.42 · 9.8 — 9.8.4.20 · 9.9 — 9.9.2.74
cisco
firepower threat defense
6.2.3 — 6.2.3.16 · 6.3.0 — 6.3.0.6 · 6.4.0 — 6.4.0.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URL inputs in HTTP requests to block directory traversal sequences that enable the file read.

prevent

Mandates timely application of vendor patches that eliminate the input-validation flaw in the WebVPN/AnyConnect web services interface.

prevent

Enforces access-control policy on the web services file system so that even a successful traversal cannot expose files beyond authorized boundaries.

References