Cyber Resilience

CVE-2022-20759

HighPublic PoC

Published: 03 May 2022

Published
03 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1339 94.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-20759 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software stems from improper separation of authentication and authorization scopes. An authenticated but unprivileged remote attacker can send crafted HTTPS messages to the interface and obtain privilege level 15 access on the web management interface, including through tools such as Cisco Adaptive Security Device Manager (ASDM) or Cisco Security Manager (CSM). The CVSS 3.1 base score is 8.8, with the impact on FTD limited to read-only access despite the score.

An attacker who already possesses valid low-privilege credentials on an affected device can exploit the flaw remotely without user interaction to escalate to full administrative control of the management plane. Successful exploitation grants the ability to view or modify device configuration and policies through the web interface.

The Cisco Security Advisory cisco-sa-asaftd-mgmt-privesc-BMFMUvye and the associated GitHub security advisory detail the issue and list fixed software releases. The EPSS score has remained flat at 0.1339 with no material increase after disclosure.

EU & UK References

Vulnerability details

A vulnerability in the web services interface for remote access VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, but unprivileged, remote attacker to elevate privileges to level 15.…

more

This vulnerability is due to improper separation of authentication and authorization scopes. An attacker could exploit this vulnerability by sending crafted HTTPS messages to the web services interface of an affected device. A successful exploit could allow the attacker to gain privilege level 15 access to the web management interface of the device. This includes privilege level 15 access to the device using management tools like the Cisco Adaptive Security Device Manager (ASDM) or the Cisco Security Manager (CSM). Note: With Cisco FTD Software, the impact is lower than the CVSS score suggests because the affected web management interface allows for read access only.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
firepower threat defense
7.1.0 · ≤ 6.4.0.15 · 6.5.0 — 6.6.5.2 · 6.7.0 — 7.0.2
cisco
adaptive security appliance software
≤ 9.12.4.38 · 9.13.0 — 9.14.4 · 9.15.0 — 9.15.1.21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269 CWE-266

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269 CWE-266

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269 CWE-266

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-266 CWE-269

The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.

addresses: CWE-269 CWE-266

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

References