What is CVE-2020-3452?

CVE-2020-3452 is a high-severity vulnerability in Cisco Adaptive Security Appliance (Asa) Software, classified under Improper Input Validation. CVSS score: 7.5/10. Published 2020-07-22.

How severe is CVE-2020-3452?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2020-3452 known to be exploited?

Yes. CVE-2020-3452 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 159 public proof-of-concept repositories are indexed.

Improper input validation in Cisco Adaptive Security Appliance (Asa) Software

CVE-2020-3452

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Cisco Adaptive Security Appliance (Asa) Software — versions unspecified

Weakness classification (CWE)

CWE-20 — Improper Input Validation

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2021-11-03. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-05-03.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

20200722 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability (vendor-advisory, x_refsource_CISCO)
packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html (x_refsource_MISC)
packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software… (x_refsource_MISC)
packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html (x_refsource_MISC)
packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Trave… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-3452?: CVE-2020-3452 is a high-severity vulnerability in Cisco Adaptive Security Appliance (Asa) Software, classified under Improper Input Validation. CVSS score: 7.5/10. Published 2020-07-22.
How severe is CVE-2020-3452?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2020-3452 known to be exploited?: Yes. CVE-2020-3452 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 159 public proof-of-concept repositories are indexed.