CVE-2020-3578

MEDIUM

Cisco ASA/Firepower Threat Defense WebVPN Portal Unauthenticated Access Rule Bypass

Title source: llm

Description

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access rule and access parts of the WebVPN portal that are supposed to be blocked. The vulnerability is due to insufficient validation of URLs when portal access rules are configured. An attacker could exploit this vulnerability by accessing certain URLs on the affected device.

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rule-bypass-P73ABNWQ

Scores

CVSS v3 5.3

EPSS 0.0018

EPSS Percentile 39.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

cisco/adaptive_security_appliance_software < 9.6.4.45

cisco/firepower_threat_defense < 6.3.0.6

Published Oct 21, 2020

Tracked Since Feb 18, 2026