Cisco ASA and FTD Information Disclosure Vulnerability

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

Published May 6, 2020 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2024-03-07 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Information Disclosure (CWE-200) vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Network Security Team

●Firewall Administrators

●IT Security

●Running firepower threat defense: 6.2.3 ≤ v < 6.2.3.16, 6.3.0 ≤ v < 6.3.0.6, 6.4.0 ≤ v < 6.4.0.9, 6.5.0 ≤ v < 6.5.0.5; adaptive security appliance software: 9.8 ≤ v < 9.8.4.20, 9.9 ≤ v < 9.9.2.67, 9.10 ≤ v < 9.10.1.40, 9.12 ≤ v < 9.12.3.9, 9.13 ≤ v < 9.13.1.10

Real-world incidentsWhat we've seen

CISA confirms this CVE has been used in known ransomware campaigns. Added to the KEV catalog on 2024-02-15; federal agencies required to remediate by 2024-03-07.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

Vendor advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-3259

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3259

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2020-3259 ↗ NVD ↗ Vendor Advisory