CVE-2020-3580
CVE-2020-3580 is a medium-severity vulnerability in Cisco Firepower Threat Defense with a CVSS 3.x base score of 6.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-79.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- CVSS v2: 2.6
- EPSS exploit prediction: 85% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2020-24851
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-79
- Affected product: Cisco Firepower Threat Defense
- Published:
- Last modified:
Description
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
CVE-2020-3580: Multiple XSS Vulnerabilities in Cisco ASA and FTD Web Services
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2020-3580 |
| Published | 2020-10-21 |
| CVSS v3 | 6.1 (MEDIUM) |
| CVSS v2 | 2.6 |
| EPSS | 0.85439 (99.693 percentile) |
| KEV | Yes (added 2021-11-03) |
| CWE | CWE-79 |
| Affected | Cisco ASA Software, Cisco FTD Software |
| Source | NVD |
Summary
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface. The attacker can execute arbitrary script code in the context of the interface or access sensitive browser-based information.
Background
Cisco ASA and FTD are widely deployed network security appliances. The web services interface provides remote access via AnyConnect and WebVPN configurations. Because these interfaces are exposed to remote users and often handle administrative sessions, they represent high-value targets for attackers seeking to compromise security infrastructure.
Root Cause
The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation). The web services interface fails to adequately validate or sanitize user-supplied input before reflecting it in the output presented to users. This insufficient input validation allows an attacker to inject malicious script content that the browser executes in the context of the trusted interface.
Impact
The vulnerability has a CVSS v3 score of 6.1 (MEDIUM).
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed (the vulnerable component impacts resources beyond its security scope)
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Successful exploitation allows an attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Because the scope is changed, the compromised interface can potentially affect the broader security appliance session.
Exploitation Walkthrough (Defensive Perspective)
Ethics Note: This section is written for defensive analysis and detection only. It does not provide working exploit code or step-by-step attack instructions.
An attacker crafts a malicious URL containing a script payload embedded in a query parameter or path segment of the ASA/FTD web interface. The attacker then socially engineers an authenticated user or administrator into clicking the link—typically through phishing, email, or a malicious web page. When the victim clicks the link, the browser sends the request to the vulnerable interface, which reflects the unsanitized input into the response. The browser executes the injected script in the context of the current session, granting the attacker access to session tokens, administrative cookies, or the ability to perform actions on behalf of the user.
From a defender's standpoint, this attack chain highlights the importance of: user awareness training, browser isolation for administrative access, and strict validation of all inbound URL parameters.
Affected and Patched Versions
The exact patched versions are not specified in the available data. Affected products include:
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. Administrators should consult the Cisco Security Advisory for specific version guidance and patch availability.
Remediation
- Upgrade: Apply the fixed software versions as recommended by Cisco in the official security advisory.
- Compensating Controls:
- Restrict web interface access to dedicated, trusted management networks.
- Enforce multi-factor authentication (MFA) for all administrative access.
- Deploy a Web Application Firewall (WAF) or reverse proxy with XSS filtering rules in front of the management interface.
- Implement Content Security Policy (CSP) headers on the web interface where supported by the platform.
- Disable unnecessary web services or AnyConnect/WebVPN configurations if not required.
Detection
- Monitor web access logs for suspicious URL parameters containing
<script>tags,javascript:, or encoded variants (e.g.,%3Cscript%3E). - Alert on anomalous administrative actions performed from known sessions shortly after unusual referrer patterns.
- Review browser console and network logs for unexpected script execution during administrative sessions.
- Correlate EPSS and KEV data to prioritize SOC monitoring for this CVE.
Assessment
With an EPSS of 0.85439 (99.693 percentile), this vulnerability has an extremely high probability of being exploited in the wild. Inclusion in the CISA KEV catalog since 2021-11-03 confirms active exploitation. The high EPSS and KEV status, combined with the fact that this affects security appliances, make this a priority patching target despite its "medium" CVSS score.
Key lessons:
- Even XSS vulnerabilities rated as "medium" CVSS can become critical when they target administrative interfaces on security appliances.
- Vendor security appliances require the same rigorous input validation and output encoding as public-facing web applications.
References
Frequently asked questions
- What is CVE-2020-3580?
- Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.
- How severe is CVE-2020-3580?
- CVE-2020-3580 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2020-3580 being actively exploited?
- Yes. CVE-2020-3580 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-3580?
- CVE-2020-3580 primarily affects Cisco Firepower Threat Defense. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-3580?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-3580 have an EU (EUVD) identifier?
- Yes. CVE-2020-3580 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-24851. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2020-3580 published?
- CVE-2020-3580 was published on 2020-10-21 and last updated on 2026-06-17.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-multiple-FCB3vPZe
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3580
Affected products (2)
- cpe:2.3:o:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
More vulnerabilities in Cisco Firepower Threat Defense
- CVE-2021-44228 — Critical (CVSS 10.0): Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in…
- CVE-2018-0101 — Critical (CVSS 10.0): A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA)…
- CVE-2025-20333 — Critical (CVSS 9.9): A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco…
- CVE-2024-20412 — Critical (CVSS 9.3): A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series…
- CVE-2020-3187 — Critical (CVSS 9.1): A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower…
- CVE-2025-20363 — Critical (CVSS 9.0): A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure…
All CVEs affecting Cisco Firepower Threat Defense →
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →