CVE-2018-0296

HIGH KEV NUCLEI

Cisco ASA & FTD - Unauthenticated DoS & Info Disclosure via HTTP URL

Title source: llm

Exploitation Summary

CVE-2018-0296 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 8 public exploits from researchers including Angelo Ruwantha, Yassine Aboukir, yassineaboukir, including a Metasploit module auxiliary/scanner/http/cisco_directory_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a path traversal vulnerability (CVE-2018-0296) in Cisco ASA devices to retrieve sensitive system information without authentication. It sends crafted HTTP requests to traverse directories and extract file listings, session data, and usernames.

Description

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.

Exploits (8)

exploitdb WORKING POC

by Angelo Ruwantha · rubywebappshardware

https://www.exploit-db.com/exploits/47220

View Code ZIP pw:eip

This Metasploit module exploits a path traversal vulnerability (CVE-2018-0296) in Cisco ASA devices to retrieve sensitive system information without authentication. It sends crafted HTTP requests to traverse directories and extract file listings, session data, and usernames.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cisco Adaptive Security Appliance (ASA) multiple versions

No auth needed

Prerequisites: Network access to the target Cisco ASA device

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Yassine Aboukir · pythonwebappshardware

https://www.exploit-db.com/exploits/44956

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in Cisco ASA and FTD software to retrieve sensitive system information, including directory listings, active sessions, and user details, without authentication. It sends crafted HTTP requests to specific endpoints and parses the responses to extract data.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software

No auth needed

Prerequisites: Network access to the vulnerable Cisco ASA/FTD web interface

MITRE ATT&CK

T1006 - Direct Volume Access T1119 - Automated Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 206 stars

by yassineaboukir · infoleak

https://github.com/yassineaboukir/CVE-2018-0296

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2018-0296, a path traversal vulnerability in Cisco ASA and FTD software. It allows unauthenticated access to sensitive system information by traversing directories and dumping file contents, active sessions, and usernames.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software

No auth needed

Prerequisites: Target URL with vulnerable Cisco ASA/FTD software

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 106 stars

by milo2012 · infoleak

https://github.com/milo2012/CVE-2018-0296

View Code ZIP pw:eip

This Go-based tool checks for the presence of CVE-2018-0296, a directory traversal vulnerability in Cisco ASA devices. It verifies if the target is a Cisco VPN device and attempts to exploit the vulnerability to leak session information.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cisco ASA Software

No auth needed

Prerequisites: Network access to the target Cisco ASA device · Target device must be running a vulnerable version of Cisco ASA Software

MITRE ATT&CK

T1006 - Direct Volume Access T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by bhenner1 · infoleak

https://github.com/bhenner1/CVE-2018-0296

View Code ZIP pw:eip

This Python script exploits CVE-2018-0296, a path traversal vulnerability in Cisco ASA devices, to retrieve sensitive files from the target system. It checks for vulnerability by sending a crafted request and saves the results to a file.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cisco ASA (Adaptive Security Appliance) with vulnerable webvpn configuration

No auth needed

Prerequisites: Target must be a Cisco ASA device with vulnerable webvpn configuration · Network access to the target device

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab WORKING POC

by The-Real-TechLord · poc

https://gitlab.com/The-Real-TechLord/CVE-2018-0296

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2018-0296, a path traversal vulnerability in Cisco ASA and FTD software, allowing unauthenticated access to sensitive system information. The script automates the retrieval of directory listings, active sessions, and user data via crafted HTTP requests.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software

No auth needed

Prerequisites: Network access to the target Cisco ASA/FTD web interface

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec SCANNER

by qiantu88 · remote

https://github.com/qiantu88/CVE-2018-0296

View Code ZIP pw:eip

This Go-based tool scans for CVE-2018-0296, a directory traversal vulnerability in Cisco ASA devices. It checks for the presence of vulnerable endpoints and attempts to enumerate session files.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cisco ASA (Adaptive Security Appliance) with WebVPN enabled

No auth needed

Prerequisites: Network access to the target device · WebVPN interface exposed

MITRE ATT&CK

T1083 - File and Directory Discovery T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by Michał Bentkowski, Yassine Aboukir, Shelby Pace · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cisco_directory_traversal.rb

View Code ZIP pw:eip

This Metasploit module exploits a directory traversal vulnerability (CVE-2018-0296) in Cisco ASA and Firepower Threat Defense (FTD) software. It allows an attacker to list files and sessions, including logged-in users, by manipulating paths in the VPN web service.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Cisco ASA and Firepower Threat Defense (FTD) software

No auth needed

Prerequisites: Network access to the target device · VPN web service exposed

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cisco ASA - Local File Inclusion

HIGHby organiccrap

References (7)

Core 7

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0296

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/104612

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44956/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041076

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01

Vendor Advisory x_refsource_confirm

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/154017/Cisco-Adaptive-Security-Appliance-Path-Traversal.html

Scores

CVSS v3 7.5

EPSS 0.9440

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2021-11-03

VulnCheck KEV 2019-04-17

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2018-1119

CWE

CWE-22 CWE-20

Status published

Products (6)

cisco/adaptive_security_appliance_software 9.1 - 9.1.7.29

cisco/firepower_threat_defense 6.2.3

cisco/firepower_threat_defense 6.2.3-85.02

cisco/firepower_threat_defense 6.2.3-851

cisco/firepower_threat_defense 6.2.3.1

cisco/firepower_threat_defense 6.0 - 6.1.0

Published Jun 07, 2018

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026