Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. The first attempts to exploit the flaw were observed shortly after disclosure.
The vulnerability, identified as CVE-2020-3452, impacts the web services interface of Cisco’s Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software, which run on the company’s firewalls.
According to the networking giant, an attacker can exploit the vulnerability without authentication by sending an HTTP request with directory traversal character sequences to the targeted device. However, the company pointed out that the attack only works if the device uses the AnyConnect or WebVPN feature with a certain configuration.
Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.
“The web services files that the attacker can view may have information such as WebVPN configuration, bookmarks, web cookies, partial web content, and HTTP URLs,” Cisco explained.
The vulnerability was reported to Cisco by Mikhail Klyuchnikov of Positive Technologies and independently by Abdulrahman Nour and Ahmed Aboul-Ela of RedForce.
“The cause [of the vulnerability] is a failure to sufficiently verify inputs,” Klyuchnikov explained. “An attacker can send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM. Thus an attacker could read certain WebVPN files containing such information as the WebVPN configuration of Cisco ASA users, bookmarks, cookies, web content, and HTTP URLaddresses.”
Cisco initially said it was not aware of any attacks exploiting CVE-2020-3452, but within hours the company updated its advisory to inform customers that a PoC exploit had been made available.
Aboul-Ela published a PoC exploit on Twitter and others published an NMAP script for it. Cisco’s advisory was again updated roughly 24 hours after disclosure to say that the company had become aware of “active exploitation of the vulnerability.” No details appear to have been made available on these attacks.
Rapid7 reported seeing 85,000 ASA/FTD devices on the internet, including 398 spread across 17% of the Fortune 500 companies. Only roughly 10% of the exposed devices have been rebooted since the release of the patch, which indicates that they have likely been patched.
Related: Cisco Patches High Severity Vulnerabilities in Security Products
Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers
Related: Cisco Patches Vulnerabilities in Small Business Routers, Switches

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
Latest News
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
