CVE-2020-3187

CRITICAL EXPLOITED NUCLEI

Cisco ASA & FTD - Unauthenticated Path Traversal & Arbitrary File Deletion via HTTP

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-3187 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including 0xmmnbassel, Cappricio-Securities, CrackerCat. A Nuclei detection template is also available.

AI-analyzed exploit summary This script exploits CVE-2020-3187, an unauthenticated arbitrary file deletion vulnerability in Cisco ASA software. It uses a crafted HTTP request with a malicious cookie to delete files on the target system.

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system. This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability can not be used to obtain access to ASA or FTD system files or underlying operating system (OS) files. Reloading the affected device will restore all files within the web services file system.

Exploits (6)

exploitdb WORKING POC
by 0xmmnbassel · bashwebappshardware
https://www.exploit-db.com/exploits/48723

This script exploits CVE-2020-3187, an unauthenticated arbitrary file deletion vulnerability in Cisco ASA software. It uses a crafted HTTP request with a malicious cookie to delete files on the target system.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Cisco ASA Software >=9.14 (except 9.11), Cisco FTD Software >=6.2.2
No auth needed
Prerequisites: Target system running vulnerable Cisco ASA/FTD software · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by Cappricio-Securities · poc
https://github.com/Cappricio-Securities/CVE-2020-3187

This repository contains a Python-based scanner for detecting CVE-2020-3187, a vulnerability in Cisco ASA and FTD software. The tool checks for the presence of vulnerable endpoints and integrates with Telegram for notifications.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Cisco ASA and FTD software
No auth needed
Prerequisites: Python 3 · requests library · Telegram API for notifications
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by CrackerCat · poc
https://github.com/CrackerCat/CVE-2020-3187

This repository contains a functional exploit for CVE-2020-3187, a directory traversal vulnerability in Citrix ADC/Netscaler. The exploit leverages a two-stage attack to write a malicious XML file to the system and then trigger its execution, resulting in remote code execution (RCE).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citrix ADC/Netscaler
No auth needed
Prerequisites: Network access to the vulnerable Citrix ADC/Netscaler instance · A listener (e.g., netcat) to catch the reverse shell
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SCANNER
by sunyyer · infoleak
https://github.com/sunyyer/CVE-2020-3187-Scanlist

The repository contains a Python script that scans for CVE-2020-3187 by checking if the target URL responds with a 200 status code when accessing a specific path. It does not exploit the vulnerability but detects its presence.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco ASA and FTD software
No auth needed
Prerequisites: List of target URLs in a text file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by sujaygr8 · poc
https://github.com/sujaygr8/CVE-2020-3187

This repository contains a functional exploit for CVE-2020-3187, a path traversal vulnerability in Cisco ASA and FTD software. The exploit uses a crafted HTTP request with a malicious cookie to delete arbitrary files on the target system.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Cisco ASA and FTD software
No auth needed
Prerequisites: Network access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Cisco Adaptive Security Appliance Software/Cisco Firepower Threat Defense - Directory Traversal
CRITICALby KareemSe1im

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.9659
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-05-22
CWE
CWE-22
Status published
Products (14)
cisco/adaptive_security_appliance_software 9.6 - 9.6.4.40
cisco/asa_5505_firmware 9.6\(4\)
cisco/asa_5510_firmware 9.6\(4\)
cisco/asa_5512-x_firmware 9.6\(4\)
cisco/asa_5515-x_firmware 9.6\(4\)
cisco/asa_5520_firmware 9.6\(4\)
cisco/asa_5525-x_firmware 9.6\(4\)
cisco/asa_5540_firmware 9.6\(4\)
cisco/asa_5545-x_firmware 9.6\(4\)
cisco/asa_5550_firmware 9.6\(4\)
... and 4 more
Published May 06, 2020
Tracked Since Feb 18, 2026