CVE DATABASE / CVE-2020-3452

CVE-2020-3452

Cisco ASA and FTD Read-Only Path Traversal Vulnerability

CVSS 7.5 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2021-11-03. Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.

Summary

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

CVSS 3.1 breakdown

Base score	7.5 (HIGH)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	NONE
Availability	NONE

Weakness type (CWE)

Affected products

Cisco adaptive security appliance softwareCisco asa 5505Cisco asa 5510Cisco asa 5512-xCisco asa 5515-xCisco asa 5520Cisco asa 5525-xCisco asa 5540Cisco asa 5545-xCisco asa 5550Cisco asa 5555-xCisco asa 5580Cisco asa 5585-xCisco firepower threat defense

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2025-10-28. Always verify against the vendor advisory before acting.