IRONSMITHINTEL
MEDIUMCVSS6.1
|
Actively Exploited
|CISA KEV|CVE-2020-3580|Auth: none — unauthenticated|Reboot: required|Manual only

Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information.

Published Oct 21, 2020 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve partial data exposure, partial data tampering. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2022-05-03 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Cross-Site Scripting (XSS) (CWE-79) vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. Exploitation requires remote network access, low attack complexity, no authentication required, and user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Network Security Team
Firewall Administrators
IT Security
Running firepower threat defense: v < 6.4.0.12, 6.5.0 ≤ v < 6.6.4, 6.7.0 ≤ v < 6.7.0.2; adaptive security appliance software: v < 9.8.4.34, 9.9 ≤ v < 9.9.2.85, 9.10 ≤ v < 9.12.4.13, 9.13 ≤ v < 9.13.1.21, 9.14 ≤ v < 9.14.2.8, 9.15 ≤ v < 9.15.1.15
Real-world incidentsWhat we've seen

CISA confirms this CVE has been used in known ransomware campaigns. Added to the KEV catalog on 2021-11-03; federal agencies required to remediate by 2022-05-03.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-3580
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3580
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2020-3580NVDVendor Advisory