PT-2020-03: Information disclosure in Сisco ASA and Cisco FTD

Cisco ASA, Cisco FTD


Severity level: High
Impact: Information disclosure in Сisco ASA and Cisco FTD
Access Vector: Remote

CVSS v3 Base Score: 7.5 HIGH
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X

CVE: CVE-2020-3259

Vulnerability description:

Successful exploitation of this vulnerability allows an unauthorized, remote attacker to read arbitrary heap memory of the device and obtain a valid session ID of a user connected to Cisco VPN. The attacker can use the obtained session ID to access the organization’s intranet. Cisco ASA memory may also contain other sensitive information, like usernames, email addresses, and certificates, which can be used to further compromise the system.

Advisory status:

21.02.2020 - Vendor gets vulnerability details 06.05.2020 - Vendor releases fixed version and details


The vulnerability was discovered by Mikhail Klyuchnikov and Nikita Abramov, Positive Technologies